mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-25 07:29:24 -05:00
Picks
https://review.lineageos.org/q/topic:%22n-asb-2023-06%22 Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
78fa476749
commit
e7b390d7e6
75
Patches/LineageOS-14.1/android_frameworks_av/358729.patch
Normal file
75
Patches/LineageOS-14.1/android_frameworks_av/358729.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ray Essick <essick@google.com>
|
||||||
|
Date: Mon, 27 Mar 2023 18:16:46 -0500
|
||||||
|
Subject: [PATCH] Fix NuMediaExtractor::readSampleData buffer Handling
|
||||||
|
|
||||||
|
readSampleData() did not initialize buffer before filling it,
|
||||||
|
leading to OOB memory references. Correct and clarify the book
|
||||||
|
keeping around output buffer management.
|
||||||
|
|
||||||
|
Bug: 275418191
|
||||||
|
Test: CtsMediaExtractorTestCases w/debug messages
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786)
|
||||||
|
Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d
|
||||||
|
Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d
|
||||||
|
---
|
||||||
|
media/libstagefright/NuMediaExtractor.cpp | 14 +++++++++-----
|
||||||
|
1 file changed, 9 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp
|
||||||
|
index c3e8f20473..40fe71866e 100644
|
||||||
|
--- a/media/libstagefright/NuMediaExtractor.cpp
|
||||||
|
+++ b/media/libstagefright/NuMediaExtractor.cpp
|
||||||
|
@@ -481,9 +481,11 @@ status_t NuMediaExtractor::appendVorbisNumPageSamples(TrackInfo *info, const sp<
|
||||||
|
numPageSamples = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ // insert, including accounting for the space used.
|
||||||
|
memcpy((uint8_t *)buffer->data() + info->mSample->range_length(),
|
||||||
|
&numPageSamples,
|
||||||
|
sizeof(numPageSamples));
|
||||||
|
+ buffer->setRange(buffer->offset(), buffer->size() + sizeof(numPageSamples));
|
||||||
|
|
||||||
|
uint32_t type;
|
||||||
|
const void *data;
|
||||||
|
@@ -532,6 +534,8 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
|
||||||
|
|
||||||
|
ssize_t minIndex = fetchTrackSamples();
|
||||||
|
|
||||||
|
+ buffer->setRange(0, 0); // start with an empty buffer
|
||||||
|
+
|
||||||
|
if (minIndex < 0) {
|
||||||
|
return ERROR_END_OF_STREAM;
|
||||||
|
}
|
||||||
|
@@ -546,25 +550,25 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
|
||||||
|
sampleSize += sizeof(int32_t);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ // capacity() is ok since we cleared out the buffer
|
||||||
|
if (buffer->capacity() < sampleSize) {
|
||||||
|
return -ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ const size_t srclen = info->mSample->range_length();
|
||||||
|
const uint8_t *src =
|
||||||
|
(const uint8_t *)info->mSample->data()
|
||||||
|
+ info->mSample->range_offset();
|
||||||
|
|
||||||
|
- memcpy((uint8_t *)buffer->data(), src, info->mSample->range_length());
|
||||||
|
+ memcpy((uint8_t *)buffer->data(), src, srclen);
|
||||||
|
+ buffer->setRange(0, srclen);
|
||||||
|
|
||||||
|
status_t err = OK;
|
||||||
|
if (info->mTrackFlags & kIsVorbis) {
|
||||||
|
+ // adjusts range when it inserts the extra bits
|
||||||
|
err = appendVorbisNumPageSamples(info, buffer);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (err == OK) {
|
||||||
|
- buffer->setRange(0, sampleSize);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
77
Patches/LineageOS-14.1/android_frameworks_base/358732.patch
Normal file
77
Patches/LineageOS-14.1/android_frameworks_base/358732.patch
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Valentin Iftime <valiiftime@google.com>
|
||||||
|
Date: Wed, 22 Feb 2023 09:38:55 +0100
|
||||||
|
Subject: [PATCH] Prevent RemoteViews crashing SystemUi
|
||||||
|
|
||||||
|
Catch canvas drawing exceptions caused by unsuported image sizes.
|
||||||
|
|
||||||
|
Test: 1. Post a custom view notification with a layout
|
||||||
|
containing an ImageView that references a 5k x 5k image
|
||||||
|
2. Add an App Widget to the home screen with that has the
|
||||||
|
layout mentioned above as preview/initial layout.
|
||||||
|
|
||||||
|
Bug: 268193777
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc0b34432ab54e3fa472db5c43e620293f64a5d)
|
||||||
|
Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a
|
||||||
|
Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a
|
||||||
|
---
|
||||||
|
.../android/appwidget/AppWidgetHostView.java | 38 ++++++++++++++-----
|
||||||
|
1 file changed, 28 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java
|
||||||
|
index 5d99ada9a024..07a23916b4c9 100644
|
||||||
|
--- a/core/java/android/appwidget/AppWidgetHostView.java
|
||||||
|
+++ b/core/java/android/appwidget/AppWidgetHostView.java
|
||||||
|
@@ -248,19 +248,26 @@ public class AppWidgetHostView extends FrameLayout {
|
||||||
|
super.onLayout(changed, left, top, right, bottom);
|
||||||
|
} catch (final RuntimeException e) {
|
||||||
|
Log.e(TAG, "Remote provider threw runtime exception, using error view instead.", e);
|
||||||
|
- removeViewInLayout(mView);
|
||||||
|
- View child = getErrorView();
|
||||||
|
- prepareView(child);
|
||||||
|
- addViewInLayout(child, 0, child.getLayoutParams());
|
||||||
|
- measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
|
||||||
|
- MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
|
||||||
|
- child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
|
||||||
|
- child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
|
||||||
|
- mView = child;
|
||||||
|
- mViewMode = VIEW_MODE_ERROR;
|
||||||
|
+ handleViewError();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /**
|
||||||
|
+ * Remove bad view and replace with error message view
|
||||||
|
+ */
|
||||||
|
+ private void handleViewError() {
|
||||||
|
+ removeViewInLayout(mView);
|
||||||
|
+ View child = getErrorView();
|
||||||
|
+ prepareView(child);
|
||||||
|
+ addViewInLayout(child, 0, child.getLayoutParams());
|
||||||
|
+ measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
|
||||||
|
+ MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
|
||||||
|
+ child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
|
||||||
|
+ child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
|
||||||
|
+ mView = child;
|
||||||
|
+ mViewMode = VIEW_MODE_ERROR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Provide guidance about the size of this widget to the AppWidgetManager. The widths and
|
||||||
|
* heights should correspond to the full area the AppWidgetHostView is given. Padding added by
|
||||||
|
@@ -767,4 +774,15 @@ public class AppWidgetHostView extends FrameLayout {
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ @Override
|
||||||
|
+ protected void dispatchDraw(Canvas canvas) {
|
||||||
|
+ try {
|
||||||
|
+ super.dispatchDraw(canvas);
|
||||||
|
+ } catch (Exception e) {
|
||||||
|
+ // Catch draw exceptions that may be caused by RemoteViews
|
||||||
|
+ Log.e(TAG, "Drawing view failed: " + e);
|
||||||
|
+ post(this::handleViewError);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
52
Patches/LineageOS-14.1/android_frameworks_base/358733.patch
Normal file
52
Patches/LineageOS-14.1/android_frameworks_base/358733.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Lee <brnlee@google.com>
|
||||||
|
Date: Fri, 17 Feb 2023 16:05:17 -0800
|
||||||
|
Subject: [PATCH] Check key intent for selectors and prohibited flags
|
||||||
|
|
||||||
|
Bug: 265015796
|
||||||
|
Test: atest
|
||||||
|
FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest
|
||||||
|
(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:92114886bdce8467c52c655c186f3e7ab1e134d8)
|
||||||
|
Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3
|
||||||
|
Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3
|
||||||
|
---
|
||||||
|
.../server/accounts/AccountManagerService.java | 18 +++++++++++++-----
|
||||||
|
1 file changed, 13 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||||
|
index b27f9b08c05e..bdbf03eda2f5 100644
|
||||||
|
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||||
|
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||||
|
@@ -4244,10 +4244,6 @@ public class AccountManagerService
|
||||||
|
if (intent.getClipData() == null) {
|
||||||
|
intent.setClipData(ClipData.newPlainText(null, null));
|
||||||
|
}
|
||||||
|
- intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
|
||||||
|
- | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
|
||||||
|
- | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
|
||||||
|
- | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
|
||||||
|
long bid = Binder.clearCallingIdentity();
|
||||||
|
try {
|
||||||
|
PackageManager pm = mContext.getPackageManager();
|
||||||
|
@@ -4290,7 +4286,19 @@ public class AccountManagerService
|
||||||
|
if (intent == null) {
|
||||||
|
return (simulateIntent == null);
|
||||||
|
}
|
||||||
|
- return intent.filterEquals(simulateIntent);
|
||||||
|
+ if (!intent.filterEquals(simulateIntent)) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (intent.getSelector() != simulateIntent.getSelector()) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
|
||||||
|
+ | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
|
||||||
|
+ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
|
||||||
|
+ | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
|
||||||
|
+ return (simulateIntent.getFlags() & prohibitedFlags) == 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
private void close() {
|
81
Patches/LineageOS-14.1/android_frameworks_base/358734.patch
Normal file
81
Patches/LineageOS-14.1/android_frameworks_base/358734.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kweku Adams <kwekua@google.com>
|
||||||
|
Date: Wed, 21 Sep 2022 22:13:01 +0000
|
||||||
|
Subject: [PATCH] Handle invalid data during job loading.
|
||||||
|
|
||||||
|
Catch exceptions that may be thrown if invalid data ended up in the
|
||||||
|
persisted job file.
|
||||||
|
|
||||||
|
Bug: 246541702
|
||||||
|
Bug: 246542132
|
||||||
|
Bug: 246542285
|
||||||
|
Bug: 246542330
|
||||||
|
Test: install test app with invalid job config, start app to schedule job, then reboot device
|
||||||
|
(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df1ba00dd9f64a3ae9a9e05979dfae6a15c7e203)
|
||||||
|
Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e
|
||||||
|
Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e
|
||||||
|
---
|
||||||
|
.../java/com/android/server/job/JobStore.java | 28 +++++++++++++++++--
|
||||||
|
1 file changed, 25 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/services/core/java/com/android/server/job/JobStore.java b/services/core/java/com/android/server/job/JobStore.java
|
||||||
|
index 602b9c755e88..80750ab0b927 100644
|
||||||
|
--- a/services/core/java/com/android/server/job/JobStore.java
|
||||||
|
+++ b/services/core/java/com/android/server/job/JobStore.java
|
||||||
|
@@ -464,6 +464,12 @@ public class JobStore {
|
||||||
|
if (JobSchedulerService.DEBUG) {
|
||||||
|
Slog.d(TAG, "Error parsing xml.", e);
|
||||||
|
}
|
||||||
|
+ } catch (Exception e) {
|
||||||
|
+ if (JobSchedulerService.DEBUG) {
|
||||||
|
+ // Crashing at this point would result in a boot loop, so live with a general
|
||||||
|
+ // Exception for system stability's sake.
|
||||||
|
+ Slog.d(TAG, "Unexpected exception", e);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -575,6 +581,15 @@ public class JobStore {
|
||||||
|
} catch (NumberFormatException e) {
|
||||||
|
Slog.d(TAG, "Error reading constraints, skipping.");
|
||||||
|
return null;
|
||||||
|
+ } catch (XmlPullParserException e) {
|
||||||
|
+ Slog.d(TAG, "Error Parser Exception.", e);
|
||||||
|
+ return null;
|
||||||
|
+ } catch (IOException e) {
|
||||||
|
+ Slog.d(TAG, "Error I/O Exception.", e);
|
||||||
|
+ return null;
|
||||||
|
+ } catch (IllegalArgumentException e) {
|
||||||
|
+ Slog.e(TAG, "Constraints contained invalid data", e);
|
||||||
|
+ return null;
|
||||||
|
}
|
||||||
|
parser.next(); // Consume </constraints>
|
||||||
|
|
||||||
|
@@ -668,8 +683,14 @@ public class JobStore {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
- PersistableBundle extras = PersistableBundle.restoreFromXml(parser);
|
||||||
|
- jobBuilder.setExtras(extras);
|
||||||
|
+ final PersistableBundle extras;
|
||||||
|
+ try {
|
||||||
|
+ extras = PersistableBundle.restoreFromXml(parser);
|
||||||
|
+ jobBuilder.setExtras(extras);
|
||||||
|
+ } catch (IllegalArgumentException e) {
|
||||||
|
+ Slog.e(TAG, "Persisted extras contained invalid data", e);
|
||||||
|
+ return null;
|
||||||
|
+ }
|
||||||
|
parser.nextTag(); // Consume </extras>
|
||||||
|
|
||||||
|
// Migrate sync jobs forward from earlier, incomplete representation
|
||||||
|
@@ -700,7 +721,8 @@ public class JobStore {
|
||||||
|
return new JobInfo.Builder(jobId, cname);
|
||||||
|
}
|
||||||
|
|
||||||
|
- private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) {
|
||||||
|
+ private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser)
|
||||||
|
+ throws XmlPullParserException, IOException {
|
||||||
|
String val = parser.getAttributeValue(null, "connectivity");
|
||||||
|
if (val != null) {
|
||||||
|
jobBuilder.setRequiredNetworkType(JobInfo.NETWORK_TYPE_ANY);
|
@ -0,0 +1,28 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Dementyev <dementyev@google.com>
|
||||||
|
Date: Tue, 7 Mar 2023 10:36:41 -0800
|
||||||
|
Subject: [PATCH] Convert argument to intent in AddAccountSettings.
|
||||||
|
|
||||||
|
Bug: 265798353
|
||||||
|
Test: manual
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7e8052b527434ed8660e3babdab718f7f3cd7da)
|
||||||
|
Merged-In: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
|
||||||
|
Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
|
||||||
|
---
|
||||||
|
src/com/android/settings/accounts/AddAccountSettings.java | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java
|
||||||
|
index ce16ba3d5a..c2613e7fbc 100644
|
||||||
|
--- a/src/com/android/settings/accounts/AddAccountSettings.java
|
||||||
|
+++ b/src/com/android/settings/accounts/AddAccountSettings.java
|
||||||
|
@@ -102,7 +102,8 @@ public class AddAccountSettings extends Activity {
|
||||||
|
addAccountOptions.putParcelable(EXTRA_USER, mUserHandle);
|
||||||
|
intent.putExtras(addAccountOptions);
|
||||||
|
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
|
||||||
|
- startActivityForResultAsUser(intent, ADD_ACCOUNT_REQUEST, mUserHandle);
|
||||||
|
+ startActivityForResultAsUser(
|
||||||
|
+ new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle);
|
||||||
|
} else {
|
||||||
|
setResult(RESULT_OK);
|
||||||
|
if (mPendingIntent != null) {
|
@ -0,0 +1,27 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Dementyev <dementyev@google.com>
|
||||||
|
Date: Tue, 7 Mar 2023 10:55:07 -0800
|
||||||
|
Subject: [PATCH] Convert argument to intent in addAccount TvSettings.
|
||||||
|
|
||||||
|
Bug: 265798353
|
||||||
|
Test: manual
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:706edcb7532d74788f899968016b7a6273bfbcac)
|
||||||
|
Merged-In: I06a63078f55ee8169123b1dfcf1811e682e0776e
|
||||||
|
Change-Id: I06a63078f55ee8169123b1dfcf1811e682e0776e
|
||||||
|
---
|
||||||
|
.../tv/settings/accounts/AddAccountWithTypeActivity.java | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
|
||||||
|
index 5f1dc0977..6294128f6 100644
|
||||||
|
--- a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
|
||||||
|
+++ b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
|
||||||
|
@@ -50,7 +50,7 @@ public class AddAccountWithTypeActivity extends Activity {
|
||||||
|
Log.e(TAG, "Failed to retrieve add account intent from authenticator");
|
||||||
|
setResultAndFinish(Activity.RESULT_CANCELED);
|
||||||
|
} else {
|
||||||
|
- startActivityForResult(addAccountIntent, REQUEST_ADD_ACCOUNT);
|
||||||
|
+ startActivityForResult(new Intent(addAccountIntent), REQUEST_ADD_ACCOUNT);
|
||||||
|
}
|
||||||
|
} catch (IOException|AuthenticatorException|OperationCanceledException e) {
|
||||||
|
Log.e(TAG, "Failed to get add account intent: ", e);
|
105
Patches/LineageOS-14.1/android_system_bt/358735.patch
Normal file
105
Patches/LineageOS-14.1/android_system_bt/358735.patch
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Delwiche <delwiche@google.com>
|
||||||
|
Date: Tue, 11 Oct 2022 21:23:22 +0000
|
||||||
|
Subject: [PATCH] Prevent use-after-free of HID reports
|
||||||
|
|
||||||
|
BTA sends the the HID report pointer to BTIF and deallocates it immediately.
|
||||||
|
This is now prevented by providing a deep copy callback function for HID
|
||||||
|
reports when tranferring context from BTA to BTIF.
|
||||||
|
|
||||||
|
This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825,
|
||||||
|
already merged on T for b/227620181.
|
||||||
|
|
||||||
|
Bug: 228837201
|
||||||
|
Test: Validated against researcher POC, ran BT unit tests, played audio
|
||||||
|
manually.
|
||||||
|
Tag: #security
|
||||||
|
Ignore-AOSP-First: Security
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42)
|
||||||
|
Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19
|
||||||
|
Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19
|
||||||
|
---
|
||||||
|
btif/src/btif_hh.c | 49 +++++++++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 46 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c
|
||||||
|
index a4057cca5..69e87b9f8 100644
|
||||||
|
--- a/btif/src/btif_hh.c
|
||||||
|
+++ b/btif/src/btif_hh.c
|
||||||
|
@@ -1093,6 +1093,38 @@ static void btif_hh_upstreams_evt(UINT16 event, char* p_param)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*******************************************************************************
|
||||||
|
+ *
|
||||||
|
+ * Function btif_hh_hsdata_rpt_copy_cb
|
||||||
|
+ *
|
||||||
|
+ * Description Deep copies the tBTA_HH_HSDATA structure
|
||||||
|
+ *
|
||||||
|
+ * Returns void
|
||||||
|
+ *
|
||||||
|
+ ******************************************************************************/
|
||||||
|
+
|
||||||
|
+static void btif_hh_hsdata_rpt_copy_cb(UINT16 event, char* p_dest,
|
||||||
|
+ char* p_src) {
|
||||||
|
+ tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest;
|
||||||
|
+ tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src;
|
||||||
|
+ BT_HDR* hdr;
|
||||||
|
+
|
||||||
|
+ if (!p_src) {
|
||||||
|
+ BTIF_TRACE_ERROR("%s: Nothing to copy", __func__);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA));
|
||||||
|
+
|
||||||
|
+ hdr = p_src_data->rsp_data.p_rpt_data;
|
||||||
|
+ if (hdr != NULL) {
|
||||||
|
+ UINT8* p_data = ((UINT8*)p_dst_data) + sizeof(tBTA_HH_HSDATA);
|
||||||
|
+ memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len);
|
||||||
|
+
|
||||||
|
+ p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*******************************************************************************
|
||||||
|
**
|
||||||
|
** Function bte_hh_evt
|
||||||
|
@@ -1107,6 +1139,7 @@ static void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH *p_data)
|
||||||
|
{
|
||||||
|
bt_status_t status;
|
||||||
|
int param_len = 0;
|
||||||
|
+ tBTIF_COPY_CBACK* p_copy_cback = NULL;
|
||||||
|
|
||||||
|
if (BTA_HH_ENABLE_EVT == event)
|
||||||
|
param_len = sizeof(tBTA_HH_STATUS);
|
||||||
|
@@ -1118,16 +1151,26 @@ static void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH *p_data)
|
||||||
|
param_len = sizeof(tBTA_HH_CBDATA);
|
||||||
|
else if (BTA_HH_GET_DSCP_EVT == event)
|
||||||
|
param_len = sizeof(tBTA_HH_DEV_DSCP_INFO);
|
||||||
|
- else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event)|| (BTA_HH_GET_IDLE_EVT == event))
|
||||||
|
+ else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event))
|
||||||
|
param_len = sizeof(tBTA_HH_HSDATA);
|
||||||
|
- else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) || (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
|
||||||
|
+ else if (BTA_HH_GET_RPT_EVT == event) {
|
||||||
|
+ BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data;
|
||||||
|
+ param_len = sizeof(tBTA_HH_HSDATA);
|
||||||
|
+
|
||||||
|
+ if (hdr != NULL) {
|
||||||
|
+ p_copy_cback = btif_hh_hsdata_rpt_copy_cb;
|
||||||
|
+ param_len += BT_HDR_SIZE + hdr->offset + hdr->len;
|
||||||
|
+ }
|
||||||
|
+ } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
|
||||||
|
+ (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
|
||||||
|
param_len = sizeof(tBTA_HH_CBDATA);
|
||||||
|
else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event) )
|
||||||
|
param_len = sizeof(tBTA_HH_DEV_INFO);
|
||||||
|
else if (BTA_HH_API_ERR_EVT == event)
|
||||||
|
param_len = 0;
|
||||||
|
/* switch context to btif task context (copy full union size for convenience) */
|
||||||
|
- status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event, (void*)p_data, param_len, NULL);
|
||||||
|
+ status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event,
|
||||||
|
+ (void*)p_data, param_len, p_copy_cback);
|
||||||
|
|
||||||
|
/* catch any failed context transfers */
|
||||||
|
ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status);
|
139
Patches/LineageOS-14.1/android_system_bt/358736.patch
Normal file
139
Patches/LineageOS-14.1/android_system_bt/358736.patch
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Delwiche <delwiche@google.com>
|
||||||
|
Date: Tue, 21 Mar 2023 22:35:35 +0000
|
||||||
|
Subject: [PATCH] Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length
|
||||||
|
in sdpu_build_uuid_seq""
|
||||||
|
|
||||||
|
This reverts commit 487a1079078f3717fdc4665c19a45eca5b3ec5e6.
|
||||||
|
|
||||||
|
Reason for revert: Reinstate original change for QPR
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a681067af2ea4565543238db3025d749923f63ec)
|
||||||
|
Merged-In: If0528519a29dc73ff99163098da2a05592ab15d8
|
||||||
|
Change-Id: If0528519a29dc73ff99163098da2a05592ab15d8
|
||||||
|
---
|
||||||
|
stack/sdp/sdp_discovery.c | 64 ++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 59 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
|
||||||
|
index ec85da47a..d57c47790 100644
|
||||||
|
--- a/stack/sdp/sdp_discovery.c
|
||||||
|
+++ b/stack/sdp/sdp_discovery.c
|
||||||
|
@@ -73,11 +73,18 @@ extern fixed_queue_t *btu_general_alarm_queue;
|
||||||
|
** Returns Pointer to next byte in the output buffer.
|
||||||
|
**
|
||||||
|
*******************************************************************************/
|
||||||
|
-static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_uuid_list)
|
||||||
|
+static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_uuid_list,
|
||||||
|
+ UINT16 bytes_left)
|
||||||
|
{
|
||||||
|
UINT16 xx;
|
||||||
|
UINT8 *p_len;
|
||||||
|
|
||||||
|
+ if (bytes_left < 2) {
|
||||||
|
+ SDP_TRACE_ERROR("SDP: No space for data element header");
|
||||||
|
+ return (p_out);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* First thing is the data element header */
|
||||||
|
UINT8_TO_BE_STREAM (p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE);
|
||||||
|
|
||||||
|
@@ -85,9 +92,19 @@ static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_
|
||||||
|
p_len = p_out;
|
||||||
|
p_out += 1;
|
||||||
|
|
||||||
|
+ /* Account for data element header and length */
|
||||||
|
+ bytes_left -= 2;
|
||||||
|
+
|
||||||
|
/* Now, loop through and put in all the UUID(s) */
|
||||||
|
for (xx = 0; xx < num_uuids; xx++, p_uuid_list++)
|
||||||
|
{
|
||||||
|
+ if (p_uuid_list->len + 1 > bytes_left) {
|
||||||
|
+ SDP_TRACE_ERROR("SDP: Too many UUIDs for internal buffer");
|
||||||
|
+ break;
|
||||||
|
+ } else {
|
||||||
|
+ bytes_left -= (p_uuid_list->len + 1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (p_uuid_list->len == 2)
|
||||||
|
{
|
||||||
|
UINT8_TO_BE_STREAM (p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES);
|
||||||
|
@@ -130,6 +147,7 @@ static void sdp_snd_service_search_req(tCONN_CB *p_ccb, UINT8 cont_len, UINT8 *
|
||||||
|
UINT8 *p, *p_start, *p_param_len;
|
||||||
|
BT_HDR *p_cmd = (BT_HDR *) osi_malloc(SDP_DATA_BUF_SIZE);
|
||||||
|
UINT16 param_len;
|
||||||
|
+ UINT16 bytes_left = SDP_DATA_BUF_SIZE;
|
||||||
|
|
||||||
|
/* Prepare the buffer for sending the packet to L2CAP */
|
||||||
|
p_cmd->offset = L2CAP_MIN_OFFSET;
|
||||||
|
@@ -144,11 +162,29 @@ static void sdp_snd_service_search_req(tCONN_CB *p_ccb, UINT8 cont_len, UINT8 *
|
||||||
|
p_param_len = p;
|
||||||
|
p += 2;
|
||||||
|
|
||||||
|
+ /* Account for header size, max service record count and
|
||||||
|
+ * continuation state */
|
||||||
|
+ const UINT16 base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
|
||||||
|
+ 3u + /* service search request header */
|
||||||
|
+ 2u + /* param len */
|
||||||
|
+ 3u + ((p_cont) ? cont_len : 0));
|
||||||
|
+
|
||||||
|
+ if (base_bytes > bytes_left) {
|
||||||
|
+ SDP_TRACE_ERROR("SDP: Overran SDP data buffer");
|
||||||
|
+ osi_free(p_cmd);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ bytes_left -= base_bytes;
|
||||||
|
+
|
||||||
|
/* Build the UID sequence. */
|
||||||
|
#if (defined(SDP_BROWSE_PLUS) && SDP_BROWSE_PLUS == TRUE)
|
||||||
|
- p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
|
||||||
|
+ p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
|
||||||
|
+ bytes_left);
|
||||||
|
#else
|
||||||
|
- p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters);
|
||||||
|
+ /* Build the UID sequence. */
|
||||||
|
+ p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters,
|
||||||
|
+ bytes_left);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Set max service record count */
|
||||||
|
@@ -686,6 +722,7 @@ static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
|
||||||
|
{
|
||||||
|
BT_HDR *p_msg = (BT_HDR *)osi_malloc(SDP_DATA_BUF_SIZE);
|
||||||
|
UINT8 *p;
|
||||||
|
+ UINT16 bytes_left = SDP_DATA_BUF_SIZE;
|
||||||
|
|
||||||
|
p_msg->offset = L2CAP_MIN_OFFSET;
|
||||||
|
p = p_start = (UINT8 *)(p_msg + 1) + L2CAP_MIN_OFFSET;
|
||||||
|
@@ -699,11 +736,28 @@ static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
|
||||||
|
p_param_len = p;
|
||||||
|
p += 2;
|
||||||
|
|
||||||
|
+ /* Account for header size, max service record count and
|
||||||
|
+ * continuation state */
|
||||||
|
+ const UINT16 base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
|
||||||
|
+ 3u + /* service search request header */
|
||||||
|
+ 2u + /* param len */
|
||||||
|
+ 3u + /* max service record count */
|
||||||
|
+ ((p_reply) ? (*p_reply) : 0));
|
||||||
|
+
|
||||||
|
+ if (base_bytes > bytes_left) {
|
||||||
|
+ sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ bytes_left -= base_bytes;
|
||||||
|
+
|
||||||
|
/* Build the UID sequence. */
|
||||||
|
#if (defined(SDP_BROWSE_PLUS) && SDP_BROWSE_PLUS == TRUE)
|
||||||
|
- p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
|
||||||
|
+ p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
|
||||||
|
+ bytes_left);
|
||||||
|
#else
|
||||||
|
- p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters);
|
||||||
|
+ p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters,
|
||||||
|
+ bytes_left);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Max attribute byte count */
|
84
Patches/LineageOS-14.1/android_system_bt/358737.patch
Normal file
84
Patches/LineageOS-14.1/android_system_bt/358737.patch
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Delwiche <delwiche@google.com>
|
||||||
|
Date: Tue, 21 Mar 2023 22:39:16 +0000
|
||||||
|
Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades
|
||||||
|
(P_256->P_192)""
|
||||||
|
|
||||||
|
This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.
|
||||||
|
|
||||||
|
Function btm_sec_encrypt_change() is called at most places
|
||||||
|
with argument "encr_enable" treated as bool and not as per
|
||||||
|
(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The
|
||||||
|
function has special handling for "encr_enable=1" to downgrade
|
||||||
|
the link key type for BR/EDR case. This gets executed even
|
||||||
|
when the caller/context did not mean/expect so. It appears
|
||||||
|
this handling in btm_sec_encrypt_change() is not necessary and
|
||||||
|
is removed by this commit to prevent accidental execution of it.
|
||||||
|
|
||||||
|
Test: Verified re-pairing with an iPhone works fine now
|
||||||
|
|
||||||
|
Issue Reproduction Steps:
|
||||||
|
1. Enable Bluetooth Hotspot on Android device (DUT).
|
||||||
|
2. Pair and connect an iPhone to DUT.
|
||||||
|
3. Forget this pairing on DUT.
|
||||||
|
4. On iPhone settings, click on old DUT's paired entry to connect.
|
||||||
|
5. iPhone notifies to click 'Forget Device' and try fresh pairing.
|
||||||
|
6. On iPhone, after doing 'Forget Device', discover DUT again.
|
||||||
|
7. Attempt pairing to DUT by clicking on discovered DUT entry.
|
||||||
|
Pairing will be unsuccessful.
|
||||||
|
|
||||||
|
Issue Cause:
|
||||||
|
During re-pairing, DUT is seen to downgrade
|
||||||
|
BR/EDR link key unexpectedly from link key type 0x8
|
||||||
|
(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).
|
||||||
|
|
||||||
|
Log snippet (re-pairing time):
|
||||||
|
btm_sec_link_key_notification set new_encr_key_256 to 1
|
||||||
|
btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1
|
||||||
|
btm_sec_encrypt_change new_encr_key_256 is 1
|
||||||
|
--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---
|
||||||
|
btm_sec_encrypt_change new_encr_key_256 is 0
|
||||||
|
updated link key type to 5
|
||||||
|
btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1
|
||||||
|
|
||||||
|
This is a backport of the following patch: aosp/1890096
|
||||||
|
|
||||||
|
Bug: 258834033
|
||||||
|
|
||||||
|
Reason for revert: Reinstate original change for QPR
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)
|
||||||
|
Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
|
||||||
|
Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
|
||||||
|
---
|
||||||
|
stack/btm/btm_sec.c | 18 ------------------
|
||||||
|
1 file changed, 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
|
||||||
|
index 175fefeae..f8884b917 100644
|
||||||
|
--- a/stack/btm/btm_sec.c
|
||||||
|
+++ b/stack/btm/btm_sec.c
|
||||||
|
@@ -4348,24 +4348,6 @@ void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
- {
|
||||||
|
- // BR/EDR is successfully encrypted. Correct LK type if needed
|
||||||
|
- // (BR/EDR LK derived from LE LTK was used for encryption)
|
||||||
|
- if ((encr_enable == 1) && /* encryption is ON for SSP */
|
||||||
|
- /* LK type is for BR/EDR SC */
|
||||||
|
- (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
|
||||||
|
- p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
|
||||||
|
- {
|
||||||
|
- if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
|
||||||
|
- p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
|
||||||
|
- else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
|
||||||
|
- p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
|
||||||
|
-
|
||||||
|
- BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
|
||||||
|
- btm_send_link_key_notif(p_dev_rec);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
|
@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
|
|||||||
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
|
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
|
||||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||||
awk -i inplace '!/Exchange2/' target/product/core.mk;
|
awk -i inplace '!/Exchange2/' target/product/core.mk;
|
||||||
sed -i 's/2021-06-05/2023-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-05 #XXX
|
sed -i 's/2021-06-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-06 #XXX
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "device/qcom/sepolicy"; then
|
if enterAndClear "device/qcom/sepolicy"; then
|
||||||
@ -142,6 +142,7 @@ if enterAndClear "frameworks/av"; then
|
|||||||
applyPatch "$DOS_PATCHES/android_frameworks_av/212799.patch"; #FLAC extractor CVE-2017-0592. alt: 212827/174106 (AOSP)
|
applyPatch "$DOS_PATCHES/android_frameworks_av/212799.patch"; #FLAC extractor CVE-2017-0592. alt: 212827/174106 (AOSP)
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_av/319987.patch"; #n-asb-2021-12 Fix heap-buffer-overflow in MPEG4Extractor
|
applyPatch "$DOS_PATCHES/android_frameworks_av/319987.patch"; #n-asb-2021-12 Fix heap-buffer-overflow in MPEG4Extractor
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_av/321222.patch"; #n-asb-2022-01 SimpleDecodingSource:Prevent OOB write in heap mem
|
applyPatch "$DOS_PATCHES/android_frameworks_av/321222.patch"; #n-asb-2022-01 SimpleDecodingSource:Prevent OOB write in heap mem
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "frameworks/base"; then
|
if enterAndClear "frameworks/base"; then
|
||||||
@ -195,6 +196,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/353759.patch"; #n-asb-2023-04 E
|
|||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/355865.patch"; #n-asb-2023-05 Uri: check authority and scheme as part of determining URI path
|
applyPatch "$DOS_PATCHES/android_frameworks_base/355865.patch"; #n-asb-2023-05 Uri: check authority and scheme as part of determining URI path
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/355866.patch"; #n-asb-2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
|
applyPatch "$DOS_PATCHES/android_frameworks_base/355866.patch"; #n-asb-2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
|
||||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/355867.patch"; #n-asb-2023-05 Stop managed profile owner granting READ_SMS #XXX: no-op
|
#applyPatch "$DOS_PATCHES/android_frameworks_base/355867.patch"; #n-asb-2023-05 Stop managed profile owner granting READ_SMS #XXX: no-op
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_base/358732.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_base/358733.patch"; #n-asb-2023-06 Check key intent for selectors and prohibited flags
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_base/358734.patch"; #n-asb-2023-06 Handle invalid data during job loading.
|
||||||
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
|
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
|
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
|
||||||
@ -363,6 +367,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334037.patch"; #n-asb-20
|
|||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345679.patch"; #n-asb-2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345679.patch"; #n-asb-2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
|
||||||
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358738.patch"; #n-asb-2023-06 Convert argument to intent in AddAccountSettings.
|
||||||
git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock
|
git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr)
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr)
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
|
||||||
@ -378,6 +383,10 @@ if enterAndClear "packages/apps/SetupWizard"; then
|
|||||||
applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove the rest of CMStats (DivestOS)
|
applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove the rest of CMStats (DivestOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
|
if enterAndClear "packages/apps/TvSettings"; then
|
||||||
|
applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358739.patch"; #n-asb-2023-06 Convert argument to intent in addAccount TvSettings.
|
||||||
|
fi;
|
||||||
|
|
||||||
if enterAndClear "packages/apps/Updater"; then
|
if enterAndClear "packages/apps/Updater"; then
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS)
|
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS)
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS)
|
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS)
|
||||||
@ -452,6 +461,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/351106.patch"; #n-asb-2023-03 Fix an
|
|||||||
applyPatch "$DOS_PATCHES/android_system_bt/351109.patch"; #n-asb-2023-03 AVRCP: Fix potential buffer overflow
|
applyPatch "$DOS_PATCHES/android_system_bt/351109.patch"; #n-asb-2023-03 AVRCP: Fix potential buffer overflow
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/353754.patch"; #n-asb-2023-04 AVDTP: Fix a potential overflow about the media payload offset
|
applyPatch "$DOS_PATCHES/android_system_bt/353754.patch"; #n-asb-2023-04 AVDTP: Fix a potential overflow about the media payload offset
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/353755.patch"; #n-asb-2023-04 Fix an OOB bug in register_notification_rsp
|
applyPatch "$DOS_PATCHES/android_system_bt/353755.patch"; #n-asb-2023-04 Fix an OOB bug in register_notification_rsp
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/358735.patch"; #n-asb-2023-06 Prevent use-after-free of HID reports
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/358736.patch"; #n-asb-2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/358737.patch"; #n-asb-2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
|
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
|
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)
|
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)
|
||||||
|
Loading…
Reference in New Issue
Block a user