Picks

https://review.lineageos.org/q/topic:%22n-asb-2023-06%22

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-14.1/android_frameworks_av/358729.patch

@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ray Essick <essick@google.com>
+Date: Mon, 27 Mar 2023 18:16:46 -0500
+Subject: [PATCH] Fix NuMediaExtractor::readSampleData buffer Handling
+
+readSampleData() did not initialize buffer before filling it,
+leading to OOB memory references. Correct and clarify the book
+keeping around output buffer management.
+
+Bug: 275418191
+Test: CtsMediaExtractorTestCases w/debug messages
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786)
+Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d
+Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d
+---
+ media/libstagefright/NuMediaExtractor.cpp | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp
+index c3e8f20473..40fe71866e 100644
+--- a/media/libstagefright/NuMediaExtractor.cpp
++++ b/media/libstagefright/NuMediaExtractor.cpp
+@@ -481,9 +481,11 @@ status_t NuMediaExtractor::appendVorbisNumPageSamples(TrackInfo *info, const sp<
+         numPageSamples = -1;
+     }
+ 
++    // insert, including accounting for the space used.
+     memcpy((uint8_t *)buffer->data() + info->mSample->range_length(),
+            &numPageSamples,
+            sizeof(numPageSamples));
++    buffer->setRange(buffer->offset(), buffer->size() + sizeof(numPageSamples));
+ 
+     uint32_t type;
+     const void *data;
+@@ -532,6 +534,8 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
+ 
+     ssize_t minIndex = fetchTrackSamples();
+ 
++    buffer->setRange(0, 0);     // start with an empty buffer
++
+     if (minIndex < 0) {
+         return ERROR_END_OF_STREAM;
+     }
+@@ -546,25 +550,25 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
+         sampleSize += sizeof(int32_t);
+     }
+ 
++    // capacity() is ok since we cleared out the buffer
+     if (buffer->capacity() < sampleSize) {
+         return -ENOMEM;
+     }
+ 
++    const size_t srclen = info->mSample->range_length();
+     const uint8_t *src =
+         (const uint8_t *)info->mSample->data()
+             + info->mSample->range_offset();
+ 
+-    memcpy((uint8_t *)buffer->data(), src, info->mSample->range_length());
++    memcpy((uint8_t *)buffer->data(), src, srclen);
++    buffer->setRange(0, srclen);
+ 
+     status_t err = OK;
+     if (info->mTrackFlags & kIsVorbis) {
++        // adjusts range when it inserts the extra bits
+         err = appendVorbisNumPageSamples(info, buffer);
+     }
+ 
+-    if (err == OK) {
+-        buffer->setRange(0, sampleSize);
+-    }
+-
+     return err;
+ }
+ 

Patches/LineageOS-14.1/android_frameworks_base/358732.patch

@@ -0,0 +1,77 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Valentin Iftime <valiiftime@google.com>
+Date: Wed, 22 Feb 2023 09:38:55 +0100
+Subject: [PATCH] Prevent RemoteViews crashing SystemUi
+
+  Catch canvas drawing exceptions caused  by unsuported image sizes.
+
+Test: 1. Post a custom view notification with a layout
+	containing an ImageView that references a 5k x 5k image
+2. Add an App Widget to the home screen with that has the
+	layout mentioned above as preview/initial layout.
+
+Bug: 268193777
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc0b34432ab54e3fa472db5c43e620293f64a5d)
+Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a
+Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a
+---
+ .../android/appwidget/AppWidgetHostView.java  | 38 ++++++++++++++-----
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java
+index 5d99ada9a024..07a23916b4c9 100644
+--- a/core/java/android/appwidget/AppWidgetHostView.java
++++ b/core/java/android/appwidget/AppWidgetHostView.java
+@@ -248,19 +248,26 @@ public class AppWidgetHostView extends FrameLayout {
+             super.onLayout(changed, left, top, right, bottom);
+         } catch (final RuntimeException e) {
+             Log.e(TAG, "Remote provider threw runtime exception, using error view instead.", e);
+-            removeViewInLayout(mView);
+-            View child = getErrorView();
+-            prepareView(child);
+-            addViewInLayout(child, 0, child.getLayoutParams());
+-            measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
+-                    MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
+-            child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
+-                    child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
+-            mView = child;
+-            mViewMode = VIEW_MODE_ERROR;
++            handleViewError();
+         }
+     }
+ 
++    /**
++     * Remove bad view and replace with error message view
++     */
++    private void handleViewError() {
++        removeViewInLayout(mView);
++        View child = getErrorView();
++        prepareView(child);
++        addViewInLayout(child, 0, child.getLayoutParams());
++        measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
++                MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
++        child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
++                child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
++        mView = child;
++        mViewMode = VIEW_MODE_ERROR;
++    }
++
+     /**
+      * Provide guidance about the size of this widget to the AppWidgetManager. The widths and
+      * heights should correspond to the full area the AppWidgetHostView is given. Padding added by
+@@ -767,4 +774,15 @@ public class AppWidgetHostView extends FrameLayout {
+                     }
+                 };
+     }
++
++    @Override
++    protected void dispatchDraw(Canvas canvas) {
++        try {
++            super.dispatchDraw(canvas);
++        } catch (Exception e) {
++            // Catch draw exceptions that may be caused by RemoteViews
++            Log.e(TAG, "Drawing view failed: " + e);
++            post(this::handleViewError);
++        }
++    }
+ }

Patches/LineageOS-14.1/android_frameworks_base/358733.patch

@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Lee <brnlee@google.com>
+Date: Fri, 17 Feb 2023 16:05:17 -0800
+Subject: [PATCH] Check key intent for selectors and prohibited flags
+
+Bug: 265015796
+Test: atest
+FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest
+(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:92114886bdce8467c52c655c186f3e7ab1e134d8)
+Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3
+Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3
+---
+ .../server/accounts/AccountManagerService.java | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index b27f9b08c05e..bdbf03eda2f5 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -4244,10 +4244,6 @@ public class AccountManagerService
+             if (intent.getClipData() == null) {
+                 intent.setClipData(ClipData.newPlainText(null, null));
+             }
+-            intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
+             long bid = Binder.clearCallingIdentity();
+             try {
+                 PackageManager pm = mContext.getPackageManager();
+@@ -4290,7 +4286,19 @@ public class AccountManagerService
+             if (intent == null) {
+                 return (simulateIntent == null);
+             }
+-            return intent.filterEquals(simulateIntent);
++            if (!intent.filterEquals(simulateIntent)) {
++                return false;
++            }
++
++            if (intent.getSelector() != simulateIntent.getSelector()) {
++                return false;
++            }
++
++            int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
++                    | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
++                    | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
++                    | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
++            return (simulateIntent.getFlags() & prohibitedFlags) == 0;
+         }
+ 
+         private void close() {

Patches/LineageOS-14.1/android_frameworks_base/358734.patch

@@ -0,0 +1,81 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kweku Adams <kwekua@google.com>
+Date: Wed, 21 Sep 2022 22:13:01 +0000
+Subject: [PATCH] Handle invalid data during job loading.
+
+Catch exceptions that may be thrown if invalid data ended up in the
+persisted job file.
+
+Bug: 246541702
+Bug: 246542132
+Bug: 246542285
+Bug: 246542330
+Test: install test app with invalid job config, start app to schedule job, then reboot device
+(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df1ba00dd9f64a3ae9a9e05979dfae6a15c7e203)
+Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e
+Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e
+---
+ .../java/com/android/server/job/JobStore.java | 28 +++++++++++++++++--
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/job/JobStore.java b/services/core/java/com/android/server/job/JobStore.java
+index 602b9c755e88..80750ab0b927 100644
+--- a/services/core/java/com/android/server/job/JobStore.java
++++ b/services/core/java/com/android/server/job/JobStore.java
+@@ -464,6 +464,12 @@ public class JobStore {
+                 if (JobSchedulerService.DEBUG) {
+                     Slog.d(TAG, "Error parsing xml.", e);
+                 }
++            } catch (Exception e) {
++                if (JobSchedulerService.DEBUG) {
++                    // Crashing at this point would result in a boot loop, so live with a general
++                    // Exception for system stability's sake.
++                    Slog.d(TAG, "Unexpected exception", e);
++                }
+             }
+         }
+ 
+@@ -575,6 +581,15 @@ public class JobStore {
+             } catch (NumberFormatException e) {
+                 Slog.d(TAG, "Error reading constraints, skipping.");
+                 return null;
++            } catch (XmlPullParserException e) {
++                Slog.d(TAG, "Error Parser Exception.", e);
++                return null;
++            } catch (IOException e) {
++                Slog.d(TAG, "Error I/O Exception.", e);
++                return null;
++            } catch (IllegalArgumentException e) {
++                Slog.e(TAG, "Constraints contained invalid data", e);
++                return null;
+             }
+             parser.next(); // Consume </constraints>
+ 
+@@ -668,8 +683,14 @@ public class JobStore {
+                 return null;
+             }
+ 
+-            PersistableBundle extras = PersistableBundle.restoreFromXml(parser);
+-            jobBuilder.setExtras(extras);
++            final PersistableBundle extras;
++            try {
++                extras = PersistableBundle.restoreFromXml(parser);
++                jobBuilder.setExtras(extras);
++            } catch (IllegalArgumentException e) {
++                Slog.e(TAG, "Persisted extras contained invalid data", e);
++                return null;
++            }
+             parser.nextTag(); // Consume </extras>
+ 
+             // Migrate sync jobs forward from earlier, incomplete representation
+@@ -700,7 +721,8 @@ public class JobStore {
+             return new JobInfo.Builder(jobId, cname);
+         }
+ 
+-        private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) {
++        private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser)
++                throws XmlPullParserException, IOException {
+             String val = parser.getAttributeValue(null, "connectivity");
+             if (val != null) {
+                 jobBuilder.setRequiredNetworkType(JobInfo.NETWORK_TYPE_ANY);

Patches/LineageOS-14.1/android_packages_apps_Settings/358738.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 7 Mar 2023 10:36:41 -0800
+Subject: [PATCH] Convert argument to intent in AddAccountSettings.
+
+Bug: 265798353
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7e8052b527434ed8660e3babdab718f7f3cd7da)
+Merged-In: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
+Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
+---
+ src/com/android/settings/accounts/AddAccountSettings.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java
+index ce16ba3d5a..c2613e7fbc 100644
+--- a/src/com/android/settings/accounts/AddAccountSettings.java
++++ b/src/com/android/settings/accounts/AddAccountSettings.java
+@@ -102,7 +102,8 @@ public class AddAccountSettings extends Activity {
+                     addAccountOptions.putParcelable(EXTRA_USER, mUserHandle);
+                     intent.putExtras(addAccountOptions);
+                     intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+-                    startActivityForResultAsUser(intent, ADD_ACCOUNT_REQUEST, mUserHandle);
++                    startActivityForResultAsUser(
++                            new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle);
+                 } else {
+                     setResult(RESULT_OK);
+                     if (mPendingIntent != null) {

Patches/LineageOS-14.1/android_packages_apps_TvSettings/358739.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 7 Mar 2023 10:55:07 -0800
+Subject: [PATCH] Convert argument to intent in addAccount TvSettings.
+
+Bug: 265798353
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:706edcb7532d74788f899968016b7a6273bfbcac)
+Merged-In: I06a63078f55ee8169123b1dfcf1811e682e0776e
+Change-Id: I06a63078f55ee8169123b1dfcf1811e682e0776e
+---
+ .../tv/settings/accounts/AddAccountWithTypeActivity.java        | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
+index 5f1dc0977..6294128f6 100644
+--- a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
++++ b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
+@@ -50,7 +50,7 @@ public class AddAccountWithTypeActivity extends Activity {
+                     Log.e(TAG, "Failed to retrieve add account intent from authenticator");
+                     setResultAndFinish(Activity.RESULT_CANCELED);
+                 } else {
+-                    startActivityForResult(addAccountIntent, REQUEST_ADD_ACCOUNT);
++                    startActivityForResult(new Intent(addAccountIntent), REQUEST_ADD_ACCOUNT);
+                 }
+             } catch (IOException|AuthenticatorException|OperationCanceledException e) {
+                 Log.e(TAG, "Failed to get add account intent: ", e);

Patches/LineageOS-14.1/android_system_bt/358735.patch

@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 11 Oct 2022 21:23:22 +0000
+Subject: [PATCH] Prevent use-after-free of HID reports
+
+BTA sends the the HID report pointer to BTIF and deallocates it immediately.
+This is now prevented by providing a deep copy callback function for HID
+reports when tranferring context from BTA to BTIF.
+
+This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825,
+already merged on T for b/227620181.
+
+Bug: 228837201
+Test: Validated against researcher POC, ran BT unit tests, played audio
+manually.
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42)
+Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19
+Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19
+---
+ btif/src/btif_hh.c | 49 +++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c
+index a4057cca5..69e87b9f8 100644
+--- a/btif/src/btif_hh.c
++++ b/btif/src/btif_hh.c
+@@ -1093,6 +1093,38 @@ static void btif_hh_upstreams_evt(UINT16 event, char* p_param)
+         }
+ }
+ 
++/*******************************************************************************
++ *
++ * Function         btif_hh_hsdata_rpt_copy_cb
++ *
++ * Description      Deep copies the tBTA_HH_HSDATA structure
++ *
++ * Returns          void
++ *
++ ******************************************************************************/
++
++static void btif_hh_hsdata_rpt_copy_cb(UINT16 event, char* p_dest,
++                                       char* p_src) {
++  tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest;
++  tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src;
++  BT_HDR* hdr;
++
++  if (!p_src) {
++    BTIF_TRACE_ERROR("%s: Nothing to copy", __func__);
++    return;
++  }
++
++  memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA));
++
++  hdr = p_src_data->rsp_data.p_rpt_data;
++  if (hdr != NULL) {
++    UINT8* p_data = ((UINT8*)p_dst_data) + sizeof(tBTA_HH_HSDATA);
++    memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len);
++
++    p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data;
++  }
++}
++
+ /*******************************************************************************
+ **
+ ** Function         bte_hh_evt
+@@ -1107,6 +1139,7 @@ static void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH *p_data)
+ {
+     bt_status_t status;
+     int param_len = 0;
++    tBTIF_COPY_CBACK* p_copy_cback = NULL;
+ 
+     if (BTA_HH_ENABLE_EVT == event)
+         param_len = sizeof(tBTA_HH_STATUS);
+@@ -1118,16 +1151,26 @@ static void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH *p_data)
+         param_len = sizeof(tBTA_HH_CBDATA);
+     else if (BTA_HH_GET_DSCP_EVT == event)
+         param_len = sizeof(tBTA_HH_DEV_DSCP_INFO);
+-    else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event)|| (BTA_HH_GET_IDLE_EVT == event))
++    else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event))
+         param_len = sizeof(tBTA_HH_HSDATA);
+-    else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) || (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
++    else if (BTA_HH_GET_RPT_EVT == event) {
++      BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data;
++      param_len = sizeof(tBTA_HH_HSDATA);
++
++      if (hdr != NULL) {
++        p_copy_cback = btif_hh_hsdata_rpt_copy_cb;
++        param_len += BT_HDR_SIZE + hdr->offset + hdr->len;
++      }
++    } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
++               (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
+         param_len = sizeof(tBTA_HH_CBDATA);
+     else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event) )
+         param_len = sizeof(tBTA_HH_DEV_INFO);
+     else if (BTA_HH_API_ERR_EVT == event)
+         param_len = 0;
+     /* switch context to btif task context (copy full union size for convenience) */
+-    status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event, (void*)p_data, param_len, NULL);
++    status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event,
++                                   (void*)p_data, param_len, p_copy_cback);
+ 
+     /* catch any failed context transfers */
+     ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status);

Patches/LineageOS-14.1/android_system_bt/358736.patch

@@ -0,0 +1,139 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 21 Mar 2023 22:35:35 +0000
+Subject: [PATCH] Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length
+ in sdpu_build_uuid_seq""
+
+This reverts commit 487a1079078f3717fdc4665c19a45eca5b3ec5e6.
+
+Reason for revert: Reinstate original change for QPR
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a681067af2ea4565543238db3025d749923f63ec)
+Merged-In: If0528519a29dc73ff99163098da2a05592ab15d8
+Change-Id: If0528519a29dc73ff99163098da2a05592ab15d8
+---
+ stack/sdp/sdp_discovery.c | 64 ++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 59 insertions(+), 5 deletions(-)
+
+diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
+index ec85da47a..d57c47790 100644
+--- a/stack/sdp/sdp_discovery.c
++++ b/stack/sdp/sdp_discovery.c
+@@ -73,11 +73,18 @@ extern fixed_queue_t *btu_general_alarm_queue;
+ ** Returns          Pointer to next byte in the output buffer.
+ **
+ *******************************************************************************/
+-static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_uuid_list)
++static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_uuid_list,
++                                   UINT16 bytes_left)
+ {
+     UINT16  xx;
+     UINT8   *p_len;
+ 
++    if (bytes_left < 2) {
++      SDP_TRACE_ERROR("SDP: No space for data element header");
++      return (p_out);
++    }
++
++
+     /* First thing is the data element header */
+     UINT8_TO_BE_STREAM  (p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE);
+ 
+@@ -85,9 +92,19 @@ static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_
+     p_len = p_out;
+     p_out += 1;
+ 
++    /* Account for data element header and length */
++    bytes_left -= 2;
++
+     /* Now, loop through and put in all the UUID(s) */
+     for (xx = 0; xx < num_uuids; xx++, p_uuid_list++)
+     {
++        if (p_uuid_list->len + 1 > bytes_left) {
++            SDP_TRACE_ERROR("SDP: Too many UUIDs for internal buffer");
++            break;
++        } else {
++            bytes_left -= (p_uuid_list->len + 1);
++        }
++
+         if (p_uuid_list->len == 2)
+         {
+             UINT8_TO_BE_STREAM  (p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES);
+@@ -130,6 +147,7 @@ static void sdp_snd_service_search_req(tCONN_CB *p_ccb, UINT8 cont_len, UINT8 *
+     UINT8           *p, *p_start, *p_param_len;
+     BT_HDR          *p_cmd = (BT_HDR *) osi_malloc(SDP_DATA_BUF_SIZE);
+     UINT16          param_len;
++    UINT16          bytes_left = SDP_DATA_BUF_SIZE;
+ 
+     /* Prepare the buffer for sending the packet to L2CAP */
+     p_cmd->offset = L2CAP_MIN_OFFSET;
+@@ -144,11 +162,29 @@ static void sdp_snd_service_search_req(tCONN_CB *p_ccb, UINT8 cont_len, UINT8 *
+     p_param_len = p;
+     p += 2;
+ 
++    /* Account for header size, max service record count and
++     * continuation state */
++    const UINT16 base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
++                                 3u + /* service search request header */
++                                 2u + /* param len */
++                                 3u + ((p_cont) ? cont_len : 0));
++
++    if (base_bytes > bytes_left) {
++        SDP_TRACE_ERROR("SDP: Overran SDP data buffer");
++        osi_free(p_cmd);
++        return;
++    }
++
++    bytes_left -= base_bytes;
++
+     /* Build the UID sequence. */
+ #if (defined(SDP_BROWSE_PLUS) && SDP_BROWSE_PLUS == TRUE)
+-    p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
++    p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
++		             bytes_left);
+ #else
+-    p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters);
++    /* Build the UID sequence. */
++    p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters,
++		             bytes_left);
+ #endif
+ 
+     /* Set max service record count */
+@@ -686,6 +722,7 @@ static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
+     {
+         BT_HDR  *p_msg = (BT_HDR *)osi_malloc(SDP_DATA_BUF_SIZE);
+         UINT8   *p;
++        UINT16  bytes_left = SDP_DATA_BUF_SIZE;
+ 
+         p_msg->offset = L2CAP_MIN_OFFSET;
+         p = p_start = (UINT8 *)(p_msg + 1) + L2CAP_MIN_OFFSET;
+@@ -699,11 +736,28 @@ static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
+         p_param_len = p;
+         p += 2;
+ 
++        /* Account for header size, max service record count and
++         * continuation state */
++        const UINT16 base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
++                                     3u + /* service search request header */
++                                     2u + /* param len */
++                                     3u + /* max service record count */
++                                     ((p_reply) ? (*p_reply) : 0));
++
++        if (base_bytes > bytes_left) {
++            sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
++            return;
++        }
++
++        bytes_left -= base_bytes;
++
+         /* Build the UID sequence. */
+ #if (defined(SDP_BROWSE_PLUS) && SDP_BROWSE_PLUS == TRUE)
+-        p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
++        p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
++                                 bytes_left);
+ #else
+-        p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters);
++        p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters,
++                                 bytes_left);
+ #endif
+ 
+         /* Max attribute byte count */

Patches/LineageOS-14.1/android_system_bt/358737.patch

@@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 21 Mar 2023 22:39:16 +0000
+Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades
+ (P_256->P_192)""
+
+This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.
+
+Function btm_sec_encrypt_change() is called at most places
+with argument "encr_enable" treated as bool and not as per
+(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The
+function has special handling for "encr_enable=1" to downgrade
+the link key type for BR/EDR case. This gets executed even
+when the caller/context did not mean/expect so. It appears
+this handling in btm_sec_encrypt_change() is not necessary and
+is removed by this commit to prevent accidental execution of it.
+
+Test: Verified re-pairing with an iPhone works fine now
+
+Issue Reproduction Steps:
+1. Enable Bluetooth Hotspot on Android device (DUT).
+2. Pair and connect an iPhone to DUT.
+3. Forget this pairing on DUT.
+4. On iPhone settings, click on old DUT's paired entry to connect.
+5. iPhone notifies to click 'Forget Device' and try fresh pairing.
+6. On iPhone, after doing 'Forget Device', discover DUT again.
+7. Attempt pairing to DUT by clicking on discovered DUT entry.
+   Pairing will be unsuccessful.
+
+Issue Cause:
+During re-pairing, DUT is seen to downgrade
+BR/EDR link key unexpectedly from link key type 0x8
+(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).
+
+Log snippet (re-pairing time):
+btm_sec_link_key_notification set new_encr_key_256 to 1
+btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1
+btm_sec_encrypt_change new_encr_key_256 is 1
+--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---
+btm_sec_encrypt_change new_encr_key_256 is 0
+updated link key type to 5
+btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1
+
+This is a backport of the following patch: aosp/1890096
+
+Bug: 258834033
+
+Reason for revert: Reinstate original change for QPR
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)
+Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
+Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
+---
+ stack/btm/btm_sec.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
+index 175fefeae..f8884b917 100644
+--- a/stack/btm/btm_sec.c
++++ b/stack/btm/btm_sec.c
+@@ -4348,24 +4348,6 @@ void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
+                 }
+             }
+         }
+-        else
+-        {
+-            // BR/EDR is successfully encrypted. Correct LK type if needed
+-            // (BR/EDR LK derived from LE LTK was used for encryption)
+-            if ((encr_enable == 1)  && /* encryption is ON for SSP */
+-                /* LK type is for BR/EDR SC */
+-                (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
+-                 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
+-            {
+-                if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
+-                    p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
+-                else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
+-                    p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
+-
+-                BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
+-                btm_send_link_key_notif(p_dev_rec);
+-            }
+-        }
+     }
+ #else
+     btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);

Scripts/LineageOS-14.1/Patch.sh

@@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2023-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-05 #XXX
+sed -i 's/2021-06-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-06 #XXX
 fi;
 
 if enterAndClear "device/qcom/sepolicy"; then
@@ -142,6 +142,7 @@ if enterAndClear "frameworks/av"; then
 applyPatch "$DOS_PATCHES/android_frameworks_av/212799.patch"; #FLAC extractor CVE-2017-0592. alt: 212827/174106 (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_av/319987.patch"; #n-asb-2021-12 Fix heap-buffer-overflow in MPEG4Extractor
 applyPatch "$DOS_PATCHES/android_frameworks_av/321222.patch"; #n-asb-2022-01 SimpleDecodingSource:Prevent OOB write in heap mem
+applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
 fi;
 
 if enterAndClear "frameworks/base"; then
@@ -195,6 +196,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/353759.patch"; #n-asb-2023-04 E
 applyPatch "$DOS_PATCHES/android_frameworks_base/355865.patch"; #n-asb-2023-05 Uri: check authority and scheme as part of determining URI path
 applyPatch "$DOS_PATCHES/android_frameworks_base/355866.patch"; #n-asb-2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
 #applyPatch "$DOS_PATCHES/android_frameworks_base/355867.patch"; #n-asb-2023-05 Stop managed profile owner granting READ_SMS #XXX: no-op
+applyPatch "$DOS_PATCHES/android_frameworks_base/358732.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi
+applyPatch "$DOS_PATCHES/android_frameworks_base/358733.patch"; #n-asb-2023-06 Check key intent for selectors and prohibited flags
+applyPatch "$DOS_PATCHES/android_frameworks_base/358734.patch"; #n-asb-2023-06 Handle invalid data during job loading.
 git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
 applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@@ -363,6 +367,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334037.patch"; #n-asb-20
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345679.patch"; #n-asb-2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358738.patch"; #n-asb-2023-06 Convert argument to intent in AddAccountSettings.
 git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@@ -378,6 +383,10 @@ if enterAndClear "packages/apps/SetupWizard"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove the rest of CMStats (DivestOS)
 fi;
 
+if enterAndClear "packages/apps/TvSettings"; then
+applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358739.patch"; #n-asb-2023-06 Convert argument to intent in addAccount TvSettings.
+fi;
+
 if enterAndClear "packages/apps/Updater"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS)
@@ -452,6 +461,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/351106.patch"; #n-asb-2023-03 Fix an
 applyPatch "$DOS_PATCHES/android_system_bt/351109.patch"; #n-asb-2023-03 AVRCP: Fix potential buffer overflow
 applyPatch "$DOS_PATCHES/android_system_bt/353754.patch"; #n-asb-2023-04 AVDTP: Fix a potential overflow about the media payload offset
 applyPatch "$DOS_PATCHES/android_system_bt/353755.patch"; #n-asb-2023-04 Fix an OOB bug in register_notification_rsp
+applyPatch "$DOS_PATCHES/android_system_bt/358735.patch"; #n-asb-2023-06 Prevent use-after-free of HID reports
+applyPatch "$DOS_PATCHES/android_system_bt/358736.patch"; #n-asb-2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
+applyPatch "$DOS_PATCHES/android_system_bt/358737.patch"; #n-asb-2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
 applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)