15.1 October ASB work

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-15.1/android_external_libxml2/368053.patch

@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 17 Feb 2023 15:53:07 +0100
+Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter
+
+Found with libFuzzer, see #344.
+
+(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033)
+
+I also copied the error label from
+e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure.
+
+Bug: http://b/274231102
+Test: TreeHugger
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:381160fc2a293d50a627c9e35bb34485bf97b6e7)
+Merged-In: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
+Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
+---
+ xmlregexp.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/xmlregexp.c b/xmlregexp.c
+index d255fbf0..6234a879 100644
+--- a/xmlregexp.c
++++ b/xmlregexp.c
+@@ -1641,6 +1641,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
+ 			return(-1);
+ 		    inter = ctxt->state;
+ 		    counter = xmlRegGetCounter(ctxt);
++                    if (counter < 0)
++                        return(-1);
+ 		    ctxt->counters[counter].min = atom->min - 1;
+ 		    ctxt->counters[counter].max = atom->max - 1;
+ 		    /* count the number of times we see it again */
+@@ -1659,6 +1661,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
+ 		     * epsilon transition.
+ 		     */
+ 		    counter = xmlRegGetCounter(ctxt);
++                    if (counter < 0)
++                        return(-1);
+ 		    ctxt->counters[counter].min = atom->min - 1;
+ 		    ctxt->counters[counter].max = atom->max - 1;
+ 		    /* count the number of times we see it again */
+@@ -5924,6 +5928,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
+      * associate a counter to the transition.
+      */
+     counter = xmlRegGetCounter(am);
++    if (counter < 0)
++        goto error;
+     am->counters[counter].min = min;
+     am->counters[counter].max = max;
+ 
+@@ -5943,6 +5949,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
+     if (min == 0)
+ 	xmlFAGenerateEpsilonTransition(am, from, to);
+     return(to);
++
++error:
++    xmlRegFreeAtom(atom);
++    return(NULL);
+ }
+ 
+ /**
+@@ -5990,6 +6000,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
+      * associate a counter to the transition.
+      */
+     counter = xmlRegGetCounter(am);
++    if (counter < 0)
++        goto error;
+     am->counters[counter].min = min;
+     am->counters[counter].max = max;
+ 
+@@ -6009,6 +6021,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
+     if (min == 0)
+ 	xmlFAGenerateEpsilonTransition(am, from, to);
+     return(to);
++
++error:
++    xmlRegFreeAtom(atom);
++    return(NULL);
+ }
+ 
+ /**
+@@ -6076,6 +6092,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
+      * associate a counter to the transition.
+      */
+     counter = xmlRegGetCounter(am);
++    if (counter < 0)
++        goto error;
+     am->counters[counter].min = 1;
+     am->counters[counter].max = 1;
+ 
+@@ -6088,6 +6106,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
+     xmlRegAtomPush(am, atom);
+     am->state = to;
+     return(to);
++
++error:
++    xmlRegFreeAtom(atom);
++    return(NULL);
+ }
+ 
+ 
+@@ -6135,6 +6157,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
+      * associate a counter to the transition.
+      */
+     counter = xmlRegGetCounter(am);
++    if (counter < 0)
++        goto error;
+     am->counters[counter].min = 1;
+     am->counters[counter].max = 1;
+ 
+@@ -6147,6 +6171,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
+     xmlRegAtomPush(am, atom);
+     am->state = to;
+     return(to);
++
++error:
++    xmlRegFreeAtom(atom);
++    return(NULL);
+ }
+ 
+ /**

Patches/LineageOS-15.1/android_frameworks_base/368055.patch

@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <jmtrivi@google.com>
+Date: Wed, 7 Dec 2022 04:36:46 +0000
+Subject: [PATCH] RingtoneManager: verify default ringtone is audio
+
+When a ringtone picker tries to set a ringtone through
+RingtoneManager.setActualDefaultRingtoneUri (also
+called by com.android.settings.DefaultRingtonePreference),
+verify the mimeType can be obtained (not found when caller
+doesn't have access to it) and it is an audio resource.
+
+Bug: 205837340
+Test: atest android.media.audio.cts.RingtoneManagerTest
+(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:377144b64325dadad102f5233ecb50a4446b205b)
+Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
+Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
+---
+ media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
+index 3eb9d529b756..38f6deb34f18 100644
+--- a/media/java/android/media/RingtoneManager.java
++++ b/media/java/android/media/RingtoneManager.java
+@@ -822,10 +822,10 @@ public class RingtoneManager {
+ 
+         return ringtoneUri;
+     }
+-    
++
+     /**
+      * Sets the {@link Uri} of the default sound for a given sound type.
+-     * 
++     *
+      * @param context A context used for querying.
+      * @param type The type whose default sound should be set. One of
+      *            {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or
+@@ -846,6 +846,21 @@ public class RingtoneManager {
+         if(!isInternalRingtoneUri(ringtoneUri)) {
+             ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId());
+         }
++
++        if (ringtoneUri != null) {
++            final String mimeType = resolver.getType(ringtoneUri);
++            if (mimeType == null) {
++                Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
++                        + " ignored: failure to find mimeType (no access from this context?)");
++                return;
++            }
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
++                Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
++                        + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                return;
++            }
++        }
++
+         Settings.System.putStringForUser(resolver, setting,
+                 ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId());
+ 

Patches/LineageOS-15.1/android_frameworks_base/368059.patch

@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Josep del Rio <joseprio@google.com>
+Date: Mon, 26 Jun 2023 11:16:37 +0000
+Subject: [PATCH] Do not share key mappings with JNI object
+
+The key mapping information between the native key mappings and
+the KeyCharacterMap object available in Java is currently shared,
+which means that a read can be attempted while it's being modified.
+
+Because the code changed between R and S, this CL fixes it just
+for R; the patch for versions S+ is ag/23785419
+
+Bug: 274058082
+Test: Presubmit
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4b3c4620166071561ec44961fb08a56676b4fd6c)
+Merged-In: I3be94534dcda365da473f82347ae2e3f57bb1b42
+Change-Id: I3be94534dcda365da473f82347ae2e3f57bb1b42
+---
+ core/jni/android_view_InputDevice.cpp | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp
+index 494fad7900ef..806a88f8f50e 100644
+--- a/core/jni/android_view_InputDevice.cpp
++++ b/core/jni/android_view_InputDevice.cpp
+@@ -14,6 +14,7 @@
+  * limitations under the License.
+  */
+ 
++#include <binder/Parcel.h>
+ #include <input/Input.h>
+ 
+ #include <android_runtime/AndroidRuntime.h>
+@@ -48,9 +49,16 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi
+         return NULL;
+     }
+ 
++    sp<KeyCharacterMap> map = deviceInfo.getKeyCharacterMap();
++    if (map != nullptr) {
++        Parcel parcel;
++        map->writeToParcel(&parcel);
++        map = map->readFromParcel(&parcel);
++    }
++
+     ScopedLocalRef<jobject> kcmObj(env,
+-            android_view_KeyCharacterMap_create(env, deviceInfo.getId(),
+-            deviceInfo.getKeyCharacterMap()));
++                                   android_view_KeyCharacterMap_create(env, deviceInfo.getId(),
++                                                                       map));
+     if (!kcmObj.get()) {
+         return NULL;
+     }

Patches/LineageOS-15.1/android_frameworks_base/368061.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Josep del Rio <joseprio@google.com>
+Date: Wed, 12 Jul 2023 16:32:05 +0000
+Subject: [PATCH] Fix KCM key mapping cloning
+
+ag/23792288 tried to fix a security issue by cloning the key
+mappings, but unfortunately the parcel was not being rewinded.
+
+Bug: 274058082
+Test: Confirmed change works in newer Android versions
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aaaba6cf190d976efdc5db6c78997dbdc9214c15)
+Merged-In: I6f75b9202e20d82ebf81a35a2916e653ee1b8372
+Change-Id: I6f75b9202e20d82ebf81a35a2916e653ee1b8372
+---
+ core/jni/android_view_InputDevice.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp
+index 806a88f8f50e..f36300ada64e 100644
+--- a/core/jni/android_view_InputDevice.cpp
++++ b/core/jni/android_view_InputDevice.cpp
+@@ -53,6 +53,7 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi
+     if (map != nullptr) {
+         Parcel parcel;
+         map->writeToParcel(&parcel);
++        parcel.setDataPosition(0);
+         map = map->readFromParcel(&parcel);
+     }
+ 

Patches/LineageOS-15.1/android_frameworks_base/368062-backport.patch

@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hongwei Wang <hwwang@google.com>
+Date: Wed, 24 May 2023 19:35:44 -0700
+Subject: [PATCH] Disallow loading icon from content URI to PipMenu
+
+Bug: 278246904
+Test: manually, with the PoC app attached to the bug
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f5a87d8a0dc9190327ba0e6113d5b80ee96abae)
+Merged-In: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d
+Change-Id: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d
+---
+ .../systemui/pip/phone/PipMenuActivity.java     | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java
+index 90f7b8db1c59..646b10c3db45 100644
+--- a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java
++++ b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java
+@@ -46,6 +46,7 @@ import android.graphics.PointF;
+ import android.graphics.Rect;
+ import android.graphics.drawable.ColorDrawable;
+ import android.graphics.drawable.Drawable;
++import android.graphics.drawable.Icon;
+ import android.os.Bundle;
+ import android.os.Handler;
+ import android.os.Message;
+@@ -484,11 +485,17 @@ public class PipMenuActivity extends Activity {
+                     final RemoteAction action = mActions.get(i);
+                     final ImageView actionView = (ImageView) mActionsGroup.getChildAt(i);
+ 
+-                    // TODO: Check if the action drawable has changed before we reload it
+-                    action.getIcon().loadDrawableAsync(this, d -> {
+-                        d.setTint(Color.WHITE);
+-                        actionView.setImageDrawable(d);
+-                    }, mHandler);
++                    final int iconType = action.getIcon().getType();
++                    if (iconType == Icon.TYPE_URI /* || iconType == Icon.TYPE_URI_ADAPTIVE_BITMAP*/) {
++                        // Disallow loading icon from content URI
++                        actionView.setImageDrawable(null);
++                    } else {
++                        // TODO: Check if the action drawable has changed before we reload it
++                        action.getIcon().loadDrawableAsync(this, d -> {
++                              d.setTint(Color.WHITE);
++                              actionView.setImageDrawable(d);
++                        }, mHandler);
++                    }
+                     actionView.setContentDescription(action.getContentDescription());
+                     if (action.isEnabled()) {
+                         actionView.setOnClickListener(v -> {

Patches/LineageOS-15.1/android_frameworks_base/368063.patch

@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kunal Malhotra <malhk@google.com>
+Date: Fri, 2 Jun 2023 23:32:02 +0000
+Subject: [PATCH] Fixing DatabaseUtils to detect malformed UTF-16 strings
+
+Test: tested with POC in bug, also using atest
+Bug: 224771621
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12)
+Merged-In: Ide65205b83063801971c5778af3154bcf3f0e530
+Change-Id: Ide65205b83063801971c5778af3154bcf3f0e530
+---
+ core/java/android/database/DatabaseUtils.java | 32 +++++++++++++------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/core/java/android/database/DatabaseUtils.java b/core/java/android/database/DatabaseUtils.java
+index 8cd3d7b5bc68..534adcd0a37f 100644
+--- a/core/java/android/database/DatabaseUtils.java
++++ b/core/java/android/database/DatabaseUtils.java
+@@ -337,17 +337,31 @@ public class DatabaseUtils {
+      */
+     public static void appendEscapedSQLString(StringBuilder sb, String sqlString) {
+         sb.append('\'');
+-        if (sqlString.indexOf('\'') != -1) {
+-            int length = sqlString.length();
+-            for (int i = 0; i < length; i++) {
+-                char c = sqlString.charAt(i);
+-                if (c == '\'') {
+-                    sb.append('\'');
++        int length = sqlString.length();
++        for (int i = 0; i < length; i++) {
++            char c = sqlString.charAt(i);
++            if (Character.isHighSurrogate(c)) {
++                if (i == length - 1) {
++                    continue;
++                }
++                if (Character.isLowSurrogate(sqlString.charAt(i + 1))) {
++                    // add them both
++                    sb.append(c);
++                    sb.append(sqlString.charAt(i + 1));
++                    continue;
++                } else {
++                    // this is a lone surrogate, skip it
++                    continue;
+                 }
+-                sb.append(c);
+             }
+-        } else
+-            sb.append(sqlString);
++            if (Character.isLowSurrogate(c)) {
++                continue;
++            }
++            if (c == '\'') {
++                sb.append('\'');
++            }
++            sb.append(c);
++        }
+         sb.append('\'');
+     }
+ 

Patches/LineageOS-15.1/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch

@@ -24,7 +24,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989
  create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java
 
 diff --git a/res/menu/data_usage.xml b/res/menu/data_usage.xml
-index 9fe6b60118..b8be11adbf 100644
+index 9fe6b601182..b8be11adbf3 100644
 --- a/res/menu/data_usage.xml
 +++ b/res/menu/data_usage.xml
 @@ -18,4 +18,8 @@
@@ -37,7 +37,7 @@ index 9fe6b60118..b8be11adbf 100644
 +        android:checkable="true" />
  </menu>
 diff --git a/res/values/cm_strings.xml b/res/values/cm_strings.xml
-index 91238336d9..314074eff0 100644
+index 91238336d92..314074eff06 100644
 --- a/res/values/cm_strings.xml
 +++ b/res/values/cm_strings.xml
 @@ -374,4 +374,9 @@
@@ -51,7 +51,7 @@ index 91238336d9..314074eff0 100644
 +    <string name="captive_portal_warning_positive">Disable</string>
  </resources>
 diff --git a/src/com/android/settings/ResetNetworkConfirm.java b/src/com/android/settings/ResetNetworkConfirm.java
-index f70d3c27ef..37dae5aa6c 100644
+index f70d3c27efb..37dae5aa6cd 100644
 --- a/src/com/android/settings/ResetNetworkConfirm.java
 +++ b/src/com/android/settings/ResetNetworkConfirm.java
 @@ -27,6 +27,7 @@ import android.net.wifi.WifiManager;
@@ -73,7 +73,7 @@ index f70d3c27ef..37dae5aa6c 100644
                      .show();
          }
 diff --git a/src/com/android/settings/datausage/DataUsageSummary.java b/src/com/android/settings/datausage/DataUsageSummary.java
-index e37cc4a6c6..f5aba01b9c 100644
+index e37cc4a6c6a..f5aba01b9c3 100644
 --- a/src/com/android/settings/datausage/DataUsageSummary.java
 +++ b/src/com/android/settings/datausage/DataUsageSummary.java
 @@ -32,6 +32,7 @@ import android.os.RemoteException;
@@ -167,7 +167,7 @@ index e37cc4a6c6..f5aba01b9c 100644
      }
 diff --git a/src/com/android/settings/network/CaptivePortalWarningDialog.java b/src/com/android/settings/network/CaptivePortalWarningDialog.java
 new file mode 100644
-index 0000000000..b274d6b9f5
+index 00000000000..b274d6b9f5c
 --- /dev/null
 +++ b/src/com/android/settings/network/CaptivePortalWarningDialog.java
 @@ -0,0 +1,69 @@
@@ -242,7 +242,7 @@ index 0000000000..b274d6b9f5
 +}
 diff --git a/src/com/android/settings/network/CaptivePortalWarningDialogHost.java b/src/com/android/settings/network/CaptivePortalWarningDialogHost.java
 new file mode 100644
-index 0000000000..208042ad73
+index 00000000000..208042ad73c
 --- /dev/null
 +++ b/src/com/android/settings/network/CaptivePortalWarningDialogHost.java
 @@ -0,0 +1,28 @@

Patches/LineageOS-15.1/android_packages_apps_Settings/326758.patch

@@ -26,7 +26,7 @@ Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a
  1 file changed, 17 insertions(+), 7 deletions(-)
 
 diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
-index d487c70c66..10d714401e 100644
+index d487c70c66f..10d714401e9 100644
 --- a/src/com/android/settings/users/AppRestrictionsFragment.java
 +++ b/src/com/android/settings/users/AppRestrictionsFragment.java
 @@ -17,6 +17,7 @@

Patches/LineageOS-15.1/android_packages_apps_Settings/326759.patch

@@ -27,7 +27,7 @@ Merged-In: I9dfde586616d004befbee529f2ae842d22795065
  1 file changed, 14 insertions(+), 1 deletion(-)
 
 diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java
-index e5d40b7add..c0726719e0 100644
+index e5d40b7add0..c0726719e0a 100644
 --- a/src/com/android/settings/CredentialStorage.java
 +++ b/src/com/android/settings/CredentialStorage.java
 @@ -131,7 +131,7 @@ public final class CredentialStorage extends Activity {

Patches/LineageOS-15.1/android_packages_apps_Settings/334265.patch

@@ -22,7 +22,7 @@ Merged-In: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4
  1 file changed, 1 insertion(+), 4 deletions(-)
 
 diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
-index 10d714401e..bf0f3da8d0 100644
+index 10d714401e9..bf0f3da8d00 100644
 --- a/src/com/android/settings/users/AppRestrictionsFragment.java
 +++ b/src/com/android/settings/users/AppRestrictionsFragment.java
 @@ -654,10 +654,7 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen

Patches/LineageOS-15.1/android_packages_apps_Settings/335111.patch

@@ -17,7 +17,7 @@ Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
  1 file changed, 18 insertions(+)
 
 diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
-index 9f9f832b10..751eb8c8e7 100644
+index 9f9f832b100..751eb8c8e7c 100644
 --- a/src/com/android/settings/DefaultRingtonePreference.java
 +++ b/src/com/android/settings/DefaultRingtonePreference.java
 @@ -22,6 +22,7 @@ import android.content.Intent;

Patches/LineageOS-15.1/android_packages_apps_Settings/335114.patch

@@ -23,7 +23,7 @@ Merged-In: I044b680871472a3c272f6264c4ef272df542112e
  1 file changed, 5 insertions(+)
 
 diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
-index 751eb8c8e7..226cde693b 100644
+index 751eb8c8e7c..226cde693b1 100644
 --- a/src/com/android/settings/DefaultRingtonePreference.java
 +++ b/src/com/android/settings/DefaultRingtonePreference.java
 @@ -44,6 +44,11 @@ public class DefaultRingtonePreference extends RingtonePreference {

Patches/LineageOS-15.1/android_packages_apps_Settings/335115.patch

@@ -20,7 +20,7 @@ Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
-index 226cde693b..f3eeff9df2 100644
+index 226cde693b1..f3eeff9df25 100644
 --- a/src/com/android/settings/DefaultRingtonePreference.java
 +++ b/src/com/android/settings/DefaultRingtonePreference.java
 @@ -49,7 +49,7 @@ public class DefaultRingtonePreference extends RingtonePreference {

Patches/LineageOS-15.1/android_packages_apps_Settings/345911.patch

@@ -27,7 +27,7 @@ Merged-In: I98eea867f926c508456ec9bc654e24eeeffa0e54
  1 file changed, 30 insertions(+), 13 deletions(-)
 
 diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java
-index 0f67b181de..a874d6a0e5 100644
+index 0f67b181de3..a874d6a0e57 100644
 --- a/src/com/android/settings/users/EditUserPhotoController.java
 +++ b/src/com/android/settings/users/EditUserPhotoController.java
 @@ -22,7 +22,9 @@ import android.content.ClipData;

Patches/LineageOS-15.1/android_packages_apps_Settings/345912-backport.patch

@@ -19,7 +19,7 @@ Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca
  4 files changed, 32 insertions(+)
 
 diff --git a/src/com/android/settings/password/ChooseLockPassword.java b/src/com/android/settings/password/ChooseLockPassword.java
-index 9f5192d044..c7e0673b8a 100644
+index 9f5192d0441..c7e0673b8ae 100644
 --- a/src/com/android/settings/password/ChooseLockPassword.java
 +++ b/src/com/android/settings/password/ChooseLockPassword.java
 @@ -49,6 +49,7 @@ import android.view.LayoutInflater;
@@ -39,7 +39,7 @@ index 9f5192d044..c7e0673b8a 100644
  
      public static class ChooseLockPasswordFragment extends InstrumentedPreferenceFragment
 diff --git a/src/com/android/settings/password/ChooseLockPattern.java b/src/com/android/settings/password/ChooseLockPattern.java
-index f65b4b3cf5..e4fa302f0a 100644
+index f65b4b3cf5e..e4fa302f0af 100644
 --- a/src/com/android/settings/password/ChooseLockPattern.java
 +++ b/src/com/android/settings/password/ChooseLockPattern.java
 @@ -29,6 +29,7 @@ import android.view.View;
@@ -59,7 +59,7 @@ index f65b4b3cf5..e4fa302f0a 100644
  
      @Override
 diff --git a/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java b/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java
-index b8f06793ac..0970e5f3bf 100644
+index b8f06793ac3..0970e5f3bf1 100644
 --- a/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java
 +++ b/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java
 @@ -16,6 +16,8 @@
@@ -95,7 +95,7 @@ index b8f06793ac..0970e5f3bf 100644
          ShadowDrawable drawable = setActivityAndGetIconDrawable(true);
          assertThat(drawable.getCreatedFromResId()).isEqualTo(R.drawable.ic_fingerprint_header);
 diff --git a/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java b/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java
-index c74448b5dd..7735e5db9f 100644
+index c74448b5dd9..7735e5db9f4 100644
 --- a/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java
 +++ b/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java
 @@ -16,6 +16,8 @@

Patches/LineageOS-15.1/android_packages_apps_Settings/351914-backport.patch

@@ -29,7 +29,7 @@ Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
  2 files changed, 26 insertions(+), 1 deletion(-)
 
 diff --git a/src/com/android/settings/SettingsPreferenceFragment.java b/src/com/android/settings/SettingsPreferenceFragment.java
-index a3d26af8eb..6653dd0ba9 100644
+index a3d26af8eb7..6653dd0ba98 100644
 --- a/src/com/android/settings/SettingsPreferenceFragment.java
 +++ b/src/com/android/settings/SettingsPreferenceFragment.java
 @@ -49,6 +49,7 @@ import com.android.settings.applications.LayoutPreference;
@@ -83,7 +83,7 @@ index a3d26af8eb..6653dd0ba9 100644
          highlightPreferenceIfNeeded();
          updateEmptyView();
 diff --git a/src/com/android/settings/system/ResetDashboardFragment.java b/src/com/android/settings/system/ResetDashboardFragment.java
-index 48295a42e1..add340f230 100644
+index 48295a42e18..add340f2306 100644
 --- a/src/com/android/settings/system/ResetDashboardFragment.java
 +++ b/src/com/android/settings/system/ResetDashboardFragment.java
 @@ -56,6 +56,11 @@ public class ResetDashboardFragment extends DashboardFragment {

Patches/LineageOS-15.1/android_packages_apps_Settings/358568-backport.patch

@@ -13,7 +13,7 @@ Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java
-index cca15c96d3..2e23e93124 100644
+index cca15c96d3c..2e23e931241 100644
 --- a/src/com/android/settings/accounts/AddAccountSettings.java
 +++ b/src/com/android/settings/accounts/AddAccountSettings.java
 @@ -102,7 +102,8 @@ public class AddAccountSettings extends Activity {

Patches/LineageOS-15.1/android_packages_apps_Settings/365973-backport.patch

@@ -21,7 +21,7 @@ Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
  1 file changed, 64 insertions(+), 56 deletions(-)
 
 diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java
-index ebad411531..981930987a 100644
+index ebad4115318..981930987a6 100644
 --- a/src/com/android/settings/DeviceAdminAdd.java
 +++ b/src/com/android/settings/DeviceAdminAdd.java
 @@ -49,6 +49,8 @@ import android.text.TextUtils.TruncateAt;

Patches/LineageOS-15.1/android_packages_apps_Settings/367639-backport.patch

@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Weng Su <wengsu@google.com>
+Date: Fri, 7 Jul 2023 19:52:04 +0800
+Subject: [PATCH] Restrict ApnEditor settings
+
+- Finish ApnEditor settings if user is not an admin
+
+- Finish ApnEditor settings if user has DISALLOW_CONFIG_MOBILE_NETWORKS restriction
+
+Bug: 279902472
+Test: manual test
+make RunSettingsRoboTests ROBOTEST_FILTER=ApnEditorTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c2d727b8f9198bf758a4896eda7c9e5385435ff)
+Merged-In: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
+Change-Id: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
+---
+ src/com/android/settings/ApnEditor.java | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/com/android/settings/ApnEditor.java b/src/com/android/settings/ApnEditor.java
+index 50a7a77309a..c1b19153fb6 100644
+--- a/src/com/android/settings/ApnEditor.java
++++ b/src/com/android/settings/ApnEditor.java
+@@ -27,6 +27,7 @@ import android.database.Cursor;
+ import android.net.Uri;
+ import android.os.Bundle;
+ import android.os.PersistableBundle;
++import android.os.UserManager;
+ import android.provider.Telephony;
+ import android.support.v14.preference.MultiSelectListPreference;
+ import android.support.v14.preference.SwitchPreference;
+@@ -179,6 +180,11 @@ public class ApnEditor extends SettingsPreferenceFragment
+     @Override
+     public void onCreate(Bundle icicle) {
+         super.onCreate(icicle);
++        if (isUserRestricted()) {
++            Log.e(TAG, "This setting isn't available due to user restriction.");
++            finish();
++            return;
++        }
+ 
+         addPreferencesFromResource(R.xml.apn_editor);
+ 
+@@ -1118,6 +1124,22 @@ public class ApnEditor extends SettingsPreferenceFragment
+         }
+     }
+ 
++    boolean isUserRestricted() {
++        UserManager userManager = getContext().getSystemService(UserManager.class);
++        if (userManager == null) {
++            return false;
++        }
++        if (!userManager.isAdminUser()) {
++            Log.e(TAG, "User is not an admin");
++            return true;
++        }
++        if (userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) {
++            Log.e(TAG, "User is not allowed to configure mobile network");
++            return true;
++        }
++        return false;
++    }
++
+     private String checkNotSet(String value) {
+         if (value == null || value.equals(sNotSet)) {
+             return "";

Patches/LineageOS-15.1/android_system_vold/0001-AES256.patch

@@ -10,7 +10,7 @@ Change-Id: Ib2d53a1d22e935ef0fa5f0f91e3bf5308d9c6459
  2 files changed, 12 insertions(+), 1 deletion(-)
 
 diff --git a/Android.mk b/Android.mk
-index 2beae28..25fd823 100644
+index 2beae282..25fd823e 100644
 --- a/Android.mk
 +++ b/Android.mk
 @@ -115,6 +115,10 @@ ifeq ($(TARGET_HW_DISK_ENCRYPTION),true)
@@ -25,7 +25,7 @@ index 2beae28..25fd823 100644
    vold_cflags += -DCONFIG_EXFAT_DRIVER=\"$(TARGET_EXFAT_DRIVER)\"
    mini_src_files += fs/Exfat.cpp
 diff --git a/cryptfs.cpp b/cryptfs.cpp
-index e33afdd..5102f12 100644
+index e33afddf..5102f126 100644
 --- a/cryptfs.cpp
 +++ b/cryptfs.cpp
 @@ -75,9 +75,17 @@ extern "C" {

Scripts/LineageOS-15.1/Patch.sh

@@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2023-10-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -130,6 +130,10 @@ if enterAndClear "external/libvpx"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_libvpx/CVE-2023-5217.patch"; #VP8: disallow thread count changes
 fi;
 
+if enterAndClear "external/libxml2"; then
+applyPatch "$DOS_PATCHES/android_external_libxml2/368053.patch"; #R_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter
+fi;
+
 if enterAndClear "external/svox"; then
 git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
 fi;
@@ -212,6 +216,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_
 applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
 applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
 applyPatch "$DOS_PATCHES/android_frameworks_base/365967.patch"; #R_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
+applyPatch "$DOS_PATCHES/android_frameworks_base/368055.patch"; #R_asb_2023-10 RingtoneManager: verify default ringtone is audio
+applyPatch "$DOS_PATCHES/android_frameworks_base/368059.patch"; #R_asb_2023-10 Do not share key mappings with JNI object
+applyPatch "$DOS_PATCHES/android_frameworks_base/368061.patch"; #R_asb_2023-10 Fix KCM key mapping cloning
+applyPatch "$DOS_PATCHES/android_frameworks_base/368062-backport.patch"; #R_asb_2023-10 Disallow loading icon from content URI to PipMenu
+applyPatch "$DOS_PATCHES/android_frameworks_base/368063.patch"; #R_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@@ -358,6 +367,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch";
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch"; #P_asb_2023-03 FRP bypass defense in the settings app
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358568-backport.patch"; #R_asb_2023-06 Convert argument to intent in AddAccountSettings.
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/365973-backport.patch"; #R_asb_2023-09 Prevent non-system IME from becoming device admin
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/367639-backport.patch"; #n-asb-2023-10 Restrict ApnEditor settings
 git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 if [ "$DOS_SENSORS_PERM" = true ]; then