Skip to content

Commit

Permalink
Integrate Dec 2021 ASB Patches
Browse files Browse the repository at this point in the history 
Tracked-On: OAM-100174
Signed-off-by: svenate <[email protected]>
  • Loading branch information
@SaliniVenate @sysopenci
SaliniVenate authored and sysopenci committed Dec 3, 2021
1 parent 3218bc1 commit 896b17e
Show file tree
Hide file tree
Showing 19 changed files with 1,366 additions and 1 deletion.
2 changes: 1 addition & 1 deletion aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ index 13b85c0663..084f400e67 100644
# It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
# If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
- PLATFORM_SECURITY_PATCH := 2021-07-05
+ PLATFORM_SECURITY_PATCH := 2021-11-01
+ PLATFORM_SECURITY_PATCH := 2021-12-01
endif
.KATI_READONLY := PLATFORM_SECURITY_PATCH

Expand Down
81 changes: 81 additions & 0 deletions ...liminary/external/tremolo/0001-handle-cases-where-order-isn-t-a-multiple-of-dimensi.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
From e5988a8dac6a20fc61d610f5ebe1f85fc12820f6 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <[email protected]>
Date: Wed, 15 Sep 2021 18:40:53 -0700
Subject: [PATCH] handle cases where order isn't a multiple of dimension

loop around vorbis_book_decodev_set() didn't support a case where
info->order wasn't an integer multple of dimension.

vorbis_book_decodev_set() is now updated to handle the loop inside
with appropriate checks added.

Other functions vorbis_book_decode_*() have appropriate checks where
they are called. So added a comment for those.

This fix is similar to the one in Xiph tremor project's
commit 80661a13c93a01f25b8df4e89fecad0eee69ddcc

Bug: 199065614
Test: clusterfuzz generated poc in bug
Test: atest VorbisDecoderTest -- --enable-module-dynamic-download=true
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest
Test: atest CtsMediaV2TestCases -- --module-arg CtsMediaV2TestCases:\
instrumentation-arg:codec-prefix:=c2.android.vorbis.decoder

Change-Id: Ibb94e7fc361e843caad7f7620229377dc1f8dd73
(cherry picked from commit 42aa2b936a078e2f69725e95009affcc93cb0f98)
---
Tremolo/codebook.c | 5 +++++
Tremolo/floor0.c | 5 ++---
2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c
index 43c4917..326a9bc 100644
--- a/Tremolo/codebook.c
+++ b/Tremolo/codebook.c
@@ -848,6 +848,7 @@ static int decode_map(codebook *s, oggpack_buffer *b, ogg_int32_t *v, int point)
#endif

/* returns 0 on OK or -1 on eof *************************************/
+/* decode vector / dim granularity gaurding is done in the upper layer */
long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
oggpack_buffer *b,int n,int point){
if(book->used_entries>0){
@@ -865,6 +866,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
return 0;
}

+/* decode vector / dim granularity gaurding is done in the upper layer */
long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
oggpack_buffer *b,int n,int point){
if(book->used_entries>0){
@@ -881,6 +883,9 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
return 0;
}

+/* unlike the others, we guard against n not being an integer number
+ of <dim> internally rather than in the upper layer (called only by
+ floor0) */
long vorbis_book_decodev_set(codebook *book,ogg_int32_t *a,
oggpack_buffer *b,int n,int point){
if(book->used_entries>0){
diff --git a/Tremolo/floor0.c b/Tremolo/floor0.c
index 7e74d1e..ea814e5 100644
--- a/Tremolo/floor0.c
+++ b/Tremolo/floor0.c
@@ -426,10 +426,9 @@ ogg_int32_t *floor0_inverse1(vorbis_dsp_state *vd,vorbis_info_floor *i,
}
ogg_int32_t last=0;

- for(j=0;j<info->order;j+=b->dim)
- if(vorbis_book_decodev_set(b,lsp+j,&vd->opb,b->dim,-24)==-1)goto eop;
+ if(vorbis_book_decodev_set(b,lsp,&vd->opb,info->order,-24)==-1)goto eop;
for(j=0;j<info->order;){
- for(k=0;k<b->dim;k++,j++)lsp[j]+=last;
+ for(k=0;k<b->dim && j<info->order;k++,j++)lsp[j]+=last;
last=lsp[j-1];
}

--
2.17.1

81 changes: 81 additions & 0 deletions ...liminary/frameworks/av/08_0008-Fix-heap-buffer-overflow-in-MPEG4Extractor-am-d13a4e.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
From d9dfa6429696c6ae18804b0326e582335cff3723 Mon Sep 17 00:00:00 2001
From: Santiago Seifert <[email protected]>
Date: Thu, 30 Sep 2021 13:15:21 +0000
Subject: [PATCH] Fix heap-buffer-overflow in MPEG4Extractor am: d13a4efc7a

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/15747591

Bug: 201632451
Bug: 188893559
Change-Id: Ie775311a46cb1ddddd30e8cfa882d549b9ddfd05
Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
(cherry picked from commit 3c5de138ed3b697e0119e7526ae7f6ed09f357cc)
---
media/extractors/mp4/MPEG4Extractor.cpp | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
mode change 100755 => 100644 media/extractors/mp4/MPEG4Extractor.cpp

diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
old mode 100755
new mode 100644
index a976a2b12a..f157d359b2
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -146,6 +146,7 @@ private:

MediaBufferHelper *mBuffer;

+ size_t mSrcBufferSize;
uint8_t *mSrcBuffer;

bool mIsHeif;
@@ -4882,6 +4883,7 @@ MPEG4Source::MPEG4Source(
mNALLengthSize(0),
mStarted(false),
mBuffer(NULL),
+ mSrcBufferSize(0),
mSrcBuffer(NULL),
mIsHeif(itemTable != NULL),
mItemTable(itemTable),
@@ -5060,6 +5062,7 @@ media_status_t MPEG4Source::start() {
// file probably specified a bad max size
return AMEDIA_ERROR_MALFORMED;
}
+ mSrcBufferSize = max_size;

mStarted = true;

@@ -5076,6 +5079,7 @@ media_status_t MPEG4Source::stop() {
mBuffer = NULL;
}

+ mSrcBufferSize = 0;
delete[] mSrcBuffer;
mSrcBuffer = NULL;

@@ -6242,13 +6246,20 @@ media_status_t MPEG4Source::read(
// Whole NAL units are returned but each fragment is prefixed by
// the start code (0x00 00 00 01).
ssize_t num_bytes_read = 0;
- num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ bool mSrcBufferFitsDataToRead = size <= mSrcBufferSize;
+ if (mSrcBufferFitsDataToRead) {
+ num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ } else {
+ // We are trying to read a sample larger than the expected max sample size.
+ // Fall through and let the failure be handled by the following if.
+ android_errorWriteLog(0x534e4554, "188893559");
+ }

if (num_bytes_read < (ssize_t)size) {
mBuffer->release();
mBuffer = NULL;

- return AMEDIA_ERROR_IO;
+ return mSrcBufferFitsDataToRead ? AMEDIA_ERROR_IO : AMEDIA_ERROR_MALFORMED;
}

uint8_t *dstData = (uint8_t *)mBuffer->data();
--
2.17.1

38 changes: 38 additions & 0 deletions ..._diff/preliminary/frameworks/av/09_0009-C2SoftMp3Dec-fix-OOB-write-in-output-buffer.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
From eb39860fd06575aab3a9d2ba11f4a44acabddc21 Mon Sep 17 00:00:00 2001
From: Manisha Jajoo <[email protected]>
Date: Fri, 23 Jul 2021 23:03:50 +0530
Subject: [PATCH] C2SoftMp3Dec: fix OOB write in output buffer

outputFrameSize, calOutSize and outSize are calculated at 8bit level
However, the library expects outputFrameSize in int16 samples.
One of the initialization of outputFrameSize was in bytes.
This is now corrected.

Test: clusterfuzz generated poc in bug
Test: atest android.mediav2.cts.CodecDecoderTest
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest

Bug: 193363621

Change-Id: Iac62c4e9d77e7f95f2c692f5ea236e7a5c536dcb
(cherry picked from commit dc32721e28e79df4dd2f5bb896bcf586ebeda5e9)
---
media/codec2/components/mp3/C2SoftMp3Dec.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/media/codec2/components/mp3/C2SoftMp3Dec.cpp b/media/codec2/components/mp3/C2SoftMp3Dec.cpp
index 5ba7e3d78f..3984f62278 100644
--- a/media/codec2/components/mp3/C2SoftMp3Dec.cpp
+++ b/media/codec2/components/mp3/C2SoftMp3Dec.cpp
@@ -405,7 +405,7 @@ void C2SoftMP3::process(
mConfig->inputBufferCurrentLength = (inSize - inPos);
mConfig->inputBufferMaxLength = 0;
mConfig->inputBufferUsedLength = 0;
- mConfig->outputFrameSize = (calOutSize - outSize);
+ mConfig->outputFrameSize = (calOutSize - outSize) / sizeof(int16_t);
mConfig->pOutputBuffer = reinterpret_cast<int16_t *> (wView.data() + outSize);

ERROR_CODE decoderErr;
--
2.17.1

105 changes: 105 additions & 0 deletions ...minary/frameworks/base/40_0040-Change-ownership-of-the-account-request-notification.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
From 77e678b8aa1278058537f3df10347535ffeaf8bd Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <[email protected]>
Date: Thu, 17 Jun 2021 13:16:38 -0700
Subject: [PATCH] Change ownership of the account request notification.

Add "Permission requested by Application..." string.
Test: manual
Bug: 179338675

Change-Id: Ib66ccc1b39bd1f3f8fa3b1efc38a9d413b72a321
(cherry picked from commit 26de0c231ffb9fd8d22e80ca120c766c26276779)
---
core/res/res/values/strings.xml | 2 ++
core/res/res/values/symbols.xml | 1 +
.../accounts/AccountManagerService.java | 21 +++++++++++++------
3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index d6ee28b93f92..5c659123b027 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -3780,6 +3780,8 @@
<string name="deny">Deny</string>
<string name="permission_request_notification_title">Permission requested</string>
<string name="permission_request_notification_with_subtitle">Permission requested\nfor account <xliff:g id="account" example="[email protected]">%s</xliff:g>.</string>
+ <!-- Title and subtitle for notification shown when app request account access (two lines) [CHAR LIMIT=NONE] -->
+ <string name="permission_request_notification_for_app_with_subtitle">Permission requested by <xliff:g id="app" example="Gmail">%1$s</xliff:g>\nfor account <xliff:g id="account" example="[email protected]">%2$s</xliff:g>.</string>

<!-- Message to show when an intent automatically switches users into the personal profile. -->
<string name="forward_intent_to_owner">You\'re using this app outside of your work profile</string>
diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml
index 3ef0a8dc9daa..3c2aa621864b 100644
--- a/core/res/res/values/symbols.xml
+++ b/core/res/res/values/symbols.xml
@@ -548,6 +548,7 @@
<java-symbol type="string" name="notification_title" />
<java-symbol type="string" name="other_networks_no_internet" />
<java-symbol type="string" name="permission_request_notification_with_subtitle" />
+ <java-symbol type="string" name="permission_request_notification_for_app_with_subtitle" />
<java-symbol type="string" name="prepend_shortcut_label" />
<java-symbol type="string" name="private_dns_broken_detailed" />
<java-symbol type="string" name="paste_as_plain_text" />
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 2e04f9c2bcd1..db3c25a7e43a 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -449,7 +449,7 @@ public class AccountManagerService
if (!checkAccess || hasAccountAccess(account, packageName,
UserHandle.getUserHandleForUid(uid))) {
cancelNotification(getCredentialPermissionNotificationId(account,
- AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName,
+ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid),
UserHandle.getUserHandleForUid(uid));
}
}
@@ -3051,8 +3051,8 @@ public class AccountManagerService
String authTokenType = intent.getStringExtra(
GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE);
final String titleAndSubtitle =
- mContext.getString(R.string.permission_request_notification_with_subtitle,
- account.name);
+ mContext.getString(R.string.permission_request_notification_for_app_with_subtitle,
+ getApplicationLabel(packageName), account.name);
final int index = titleAndSubtitle.indexOf('\n');
String title = titleAndSubtitle;
String subtitle = "";
@@ -3075,7 +3075,16 @@ public class AccountManagerService
null, user))
.build();
installNotification(getCredentialPermissionNotificationId(
- account, authTokenType, uid), n, packageName, user.getIdentifier());
+ account, authTokenType, uid), n, "android", user.getIdentifier());
+ }
+
+ private String getApplicationLabel(String packageName) {
+ try {
+ return mPackageManager.getApplicationLabel(
+ mPackageManager.getApplicationInfo(packageName, 0)).toString();
+ } catch (PackageManager.NameNotFoundException e) {
+ return packageName;
+ }
}

private Intent newGrantCredentialsPermissionIntent(Account account, String packageName,
@@ -3111,7 +3120,7 @@ public class AccountManagerService
nId = accounts.credentialsPermissionNotificationIds.get(key);
if (nId == null) {
String tag = TAG + ":" + SystemMessage.NOTE_ACCOUNT_CREDENTIAL_PERMISSION
- + ":" + account.hashCode() + ":" + authTokenType.hashCode();
+ + ":" + account.hashCode() + ":" + authTokenType.hashCode() + ":" + uid;
int id = SystemMessage.NOTE_ACCOUNT_CREDENTIAL_PERMISSION;
nId = new NotificationId(tag, id);
accounts.credentialsPermissionNotificationIds.put(key, nId);
@@ -4064,7 +4073,7 @@ public class AccountManagerService

private void handleAuthenticatorResponse(boolean accessGranted) throws RemoteException {
cancelNotification(getCredentialPermissionNotificationId(account,
- AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName,
+ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid),
UserHandle.getUserHandleForUid(uid));
if (callback != null) {
Bundle result = new Bundle();
--
2.17.1

66 changes: 66 additions & 0 deletions aosp_diff/preliminary/frameworks/base/41_0041-Fix-NPE-on-getTitle.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
From 07acc39b7b1eb19fd7522c9764e5174cf22c86b5 Mon Sep 17 00:00:00 2001
From: cnchen <[email protected]>
Date: Mon, 6 Jul 2020 19:58:44 +0800
Subject: [PATCH] Fix NPE on getTitle()

Bug: 199922685
Test: make RunSettingsLibRoboTests -j40
Change-Id: I35bf6f5911dc0ee56e43af7faddaceb479362863
(cherry picked from commit f00f2203b578e919e56f21f3a4119a974b942243)
Merged-In: I35bf6f5911dc0ee56e43af7faddaceb479362863
(cherry picked from commit c006ad915aea348043446a45cc019f522c83928c)
---
.../src/com/android/settingslib/wifi/AccessPoint.java | 10 ++++++----
.../com/android/settingslib/wifi/AccessPointTest.java | 11 +++++++++++
2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java b/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java
index 8968340b65f4..c5e66bef9653 100644
--- a/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java
+++ b/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java
@@ -1117,14 +1117,16 @@ public class AccessPoint implements Comparable<AccessPoint> {
* Returns the display title for the AccessPoint, such as for an AccessPointPreference's title.
*/
public String getTitle() {
- if (isPasspoint()) {
+ if (isPasspoint() && !TextUtils.isEmpty(mConfig.providerFriendlyName)) {
return mConfig.providerFriendlyName;
- } else if (isPasspointConfig()) {
+ } else if (isPasspointConfig() && !TextUtils.isEmpty(mProviderFriendlyName)) {
return mProviderFriendlyName;
- } else if (isOsuProvider()) {
+ } else if (isOsuProvider() && !TextUtils.isEmpty(mOsuProvider.getFriendlyName())) {
return mOsuProvider.getFriendlyName();
- } else {
+ } else if (!TextUtils.isEmpty(getSsidStr())) {
return getSsidStr();
+ } else {
+ return "";
}
}

diff --git a/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java b/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java
index bcabec858487..46ecbd45a860 100644
--- a/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java
+++ b/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java
@@ -147,6 +147,17 @@ public class AccessPointTest {
assertThat(ssid instanceof SpannableString).isFalse();
}

+ @Test
+ public void testCompareTo_GivesNull() {
+ WifiConfiguration spyConfig = spy(new WifiConfiguration());
+
+ when(spyConfig.isPasspoint()).thenReturn(true);
+ spyConfig.providerFriendlyName = null;
+ AccessPoint passpointAp = new AccessPoint(mContext, spyConfig);
+
+ assertThat(passpointAp.getTitle()).isEqualTo("");
+ }
+
@Test
public void testCompareTo_GivesActiveBeforeInactive() {
AccessPoint activeAp = new TestAccessPointBuilder(mContext).setActive(true).build();
--
2.17.1

Loading

0 comments on commit 896b17e

Please sign in to comment.