-
Notifications
You must be signed in to change notification settings - Fork 250
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASB JAN 2025 Security Patches integration
Integrating Google Android Security Bulletin Patches Test done: STS r34 TCs Passed. Tracked-On: OAM-128703 Signed-off-by: AlamIntel <[email protected]>
- Loading branch information
Showing
20 changed files
with
3,188 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 38 additions & 0 deletions
38
...aos/external/giflib/0001-Fix-potential-overflow-when-calculating-ImageSize.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
From ae7d5e47ae22ebca28096ce6f485ad9c1732d17d Mon Sep 17 00:00:00 2001 | ||
From: Sadaf Ebrahimi <[email protected]> | ||
Date: Tue, 17 Sep 2024 21:02:42 +0000 | ||
Subject: [PATCH] Fix potential overflow when calculating ImageSize | ||
|
||
The modified if statement doesn't check the size of ImageDesc.Width and | ||
ImageDesc.Height. If ImageDesc.Width and ImageDesc.Height are larger | ||
than SIZE_MAX, then ImageSize overflows. | ||
|
||
Bug: 355461643 | ||
Test: TreeHugger | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c05fa63b68950854922bc42d8e1bc12d056b0ff) | ||
Merged-In: Ieef04e789acf783eda2dff2cd9284ed204f1d117 | ||
Change-Id: Ieef04e789acf783eda2dff2cd9284ed204f1d117 | ||
--- | ||
dgif_lib.c | 6 ++++-- | ||
1 file changed, 4 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/dgif_lib.c b/dgif_lib.c | ||
index 66a1d6a..7b43a6a 100644 | ||
--- a/dgif_lib.c | ||
+++ b/dgif_lib.c | ||
@@ -1099,8 +1099,10 @@ DGifSlurp(GifFileType *GifFile) | ||
|
||
sp = &GifFile->SavedImages[GifFile->ImageCount - 1]; | ||
/* Allocate memory for the image */ | ||
- if (sp->ImageDesc.Width < 0 && sp->ImageDesc.Height < 0 && | ||
- sp->ImageDesc.Width > (INT_MAX / sp->ImageDesc.Height)) { | ||
+ if (sp->ImageDesc.Width <= 0 || | ||
+ sp->ImageDesc.Height <= 0 || | ||
+ sp->ImageDesc.Width > | ||
+ (INT_MAX / sp->ImageDesc.Height)) { | ||
return GIF_ERROR; | ||
} | ||
ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height; | ||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
63 changes: 63 additions & 0 deletions
63
...s/frameworks/base/99_0302-RingtoneManager-verify-default-ringtone-is-audio.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
From bcc4a16e5bde28d95cffa074443da7eb54a1ea76 Mon Sep 17 00:00:00 2001 | ||
From: Jean-Michel Trivi <[email protected]> | ||
Date: Wed, 7 Dec 2022 04:36:46 +0000 | ||
Subject: [PATCH] RingtoneManager: verify default ringtone is audio | ||
|
||
When a ringtone picker tries to set a ringtone through | ||
RingtoneManager.setActualDefaultRingtoneUri (also | ||
called by com.android.settings.DefaultRingtonePreference), | ||
verify the mimeType can be obtained (not found when caller | ||
doesn't have access to it) and it is an audio resource. | ||
|
||
Bug: 205837340 | ||
Test: atest android.media.audio.cts.RingtoneManagerTest | ||
(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad) | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0a4792b62ea86c153653b0663ffe920d90b7cc15) | ||
Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e | ||
Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e | ||
--- | ||
media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++-- | ||
1 file changed, 17 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java | ||
index 4ec79b7e085a..8aecf7f17026 100644 | ||
--- a/media/java/android/media/RingtoneManager.java | ||
+++ b/media/java/android/media/RingtoneManager.java | ||
@@ -802,10 +802,10 @@ public class RingtoneManager { | ||
|
||
return ringtoneUri; | ||
} | ||
- | ||
+ | ||
/** | ||
* Sets the {@link Uri} of the default sound for a given sound type. | ||
- * | ||
+ * | ||
* @param context A context used for querying. | ||
* @param type The type whose default sound should be set. One of | ||
* {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or | ||
@@ -826,6 +826,21 @@ public class RingtoneManager { | ||
if(!isInternalRingtoneUri(ringtoneUri)) { | ||
ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId()); | ||
} | ||
+ | ||
+ if (ringtoneUri != null) { | ||
+ final String mimeType = resolver.getType(ringtoneUri); | ||
+ if (mimeType == null) { | ||
+ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri | ||
+ + " ignored: failure to find mimeType (no access from this context?)"); | ||
+ return; | ||
+ } | ||
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) { | ||
+ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri | ||
+ + " ignored: associated mimeType:" + mimeType + " is not an audio type"); | ||
+ return; | ||
+ } | ||
+ } | ||
+ | ||
Settings.System.putStringForUser(resolver, setting, | ||
ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId()); | ||
|
||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
71 changes: 71 additions & 0 deletions
71
...ameworks/base/99_0303--SettingsProvider-verify-ringtone-URI-before-setting.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
From da9dd005ceaf2cd681411ff646efd17e1ac75230 Mon Sep 17 00:00:00 2001 | ||
From: Songchun Fan <[email protected]> | ||
Date: Mon, 14 Aug 2023 15:24:11 -0700 | ||
Subject: [PATCH] [SettingsProvider] verify ringtone URI before setting | ||
|
||
Similar to ag/24422287, but the same URI verification should be done in | ||
SettingsProvider as well, which can be called by apps via | ||
Settings.System API or ContentProvider APIs without using | ||
RingtoneManager. | ||
|
||
BUG: 227201030 | ||
Test: manual with a test app. Will add a CTS test. | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1b234678ec122994ccbfc52ac48aafdad7fdb1ed) | ||
Merged-In: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b | ||
Change-Id: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b | ||
--- | ||
.../providers/settings/SettingsProvider.java | 31 +++++++++++++++++++ | ||
1 file changed, 31 insertions(+) | ||
|
||
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java | ||
index 8dd77a675d6e..4df565045e82 100644 | ||
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java | ||
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java | ||
@@ -1906,6 +1906,9 @@ public class SettingsProvider extends ContentProvider { | ||
cacheName = Settings.System.ALARM_ALERT_CACHE; | ||
} | ||
if (cacheName != null) { | ||
+ if (!isValidAudioUri(name, value)) { | ||
+ return false; | ||
+ } | ||
final File cacheFile = new File( | ||
getRingtoneCacheDir(owningUserId), cacheName); | ||
cacheFile.delete(); | ||
@@ -1938,6 +1941,34 @@ public class SettingsProvider extends ContentProvider { | ||
} | ||
} | ||
|
||
+ private boolean isValidAudioUri(String name, String uri) { | ||
+ if (uri != null) { | ||
+ Uri audioUri = Uri.parse(uri); | ||
+ if (Settings.AUTHORITY.equals( | ||
+ ContentProvider.getAuthorityWithoutUserId(audioUri.getAuthority()))) { | ||
+ // Don't accept setting the default uri to self-referential URIs like | ||
+ // Settings.System.DEFAULT_RINGTONE_URI, which is an alias to the value of this | ||
+ // setting. | ||
+ return false; | ||
+ } | ||
+ final String mimeType = getContext().getContentResolver().getType(audioUri); | ||
+ if (mimeType == null) { | ||
+ Slog.e(LOG_TAG, | ||
+ "mutateSystemSetting for setting: " + name + " URI: " + audioUri | ||
+ + " ignored: failure to find mimeType (no access from this context?)"); | ||
+ return false; | ||
+ } | ||
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") | ||
+ || mimeType.equals("application/x-flac"))) { | ||
+ Slog.e(LOG_TAG, | ||
+ "mutateSystemSetting for setting: " + name + " URI: " + audioUri | ||
+ + " ignored: associated mimeType: " + mimeType + " is not an audio type"); | ||
+ return false; | ||
+ } | ||
+ } | ||
+ return true; | ||
+ } | ||
+ | ||
private boolean hasWriteSecureSettingsPermission() { | ||
// Write secure settings is a more protected permission. If caller has it we are good. | ||
return getContext().checkCallingOrSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS) | ||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
79 changes: 79 additions & 0 deletions
79
...base_aaos/frameworks/base/99_0304-RingtoneManager-allow-video-ringtone-URI.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
From aece1c1baa9259c18d06e91dad7240ad69396d99 Mon Sep 17 00:00:00 2001 | ||
From: Jean-Michel Trivi <[email protected]> | ||
Date: Mon, 24 Jun 2024 17:29:14 -0700 | ||
Subject: [PATCH] RingtoneManager: allow video ringtone URI | ||
|
||
When checking the MIME type for the default ringtone, also | ||
allow it to refer to video content. | ||
|
||
Bug: 205837340 | ||
Test: see POC + atest android.media.audio.cts.RingtoneManagerTest | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:afa5db6707aa765fa92a00aa57cbe889951dc15b) | ||
Merged-In: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7 | ||
Change-Id: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7 | ||
--- | ||
media/java/android/media/RingtoneManager.java | 8 ++++++-- | ||
.../android/providers/settings/SettingsProvider.java | 11 +++++++---- | ||
2 files changed, 13 insertions(+), 6 deletions(-) | ||
|
||
diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java | ||
index 8aecf7f17026..2dc6365c2e29 100644 | ||
--- a/media/java/android/media/RingtoneManager.java | ||
+++ b/media/java/android/media/RingtoneManager.java | ||
@@ -834,9 +834,13 @@ public class RingtoneManager { | ||
+ " ignored: failure to find mimeType (no access from this context?)"); | ||
return; | ||
} | ||
- if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) { | ||
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") | ||
+ || mimeType.equals("application/x-flac") | ||
+ // also check for video ringtones | ||
+ || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) { | ||
Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri | ||
- + " ignored: associated mimeType:" + mimeType + " is not an audio type"); | ||
+ + " ignored: associated MIME type:" + mimeType | ||
+ + " is not a recognized audio or video type"); | ||
return; | ||
} | ||
} | ||
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java | ||
index 4df565045e82..71824ecbed9a 100644 | ||
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java | ||
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java | ||
@@ -1906,7 +1906,7 @@ public class SettingsProvider extends ContentProvider { | ||
cacheName = Settings.System.ALARM_ALERT_CACHE; | ||
} | ||
if (cacheName != null) { | ||
- if (!isValidAudioUri(name, value)) { | ||
+ if (!isValidMediaUri(name, value)) { | ||
return false; | ||
} | ||
final File cacheFile = new File( | ||
@@ -1941,7 +1941,7 @@ public class SettingsProvider extends ContentProvider { | ||
} | ||
} | ||
|
||
- private boolean isValidAudioUri(String name, String uri) { | ||
+ private boolean isValidMediaUri(String name, String uri) { | ||
if (uri != null) { | ||
Uri audioUri = Uri.parse(uri); | ||
if (Settings.AUTHORITY.equals( | ||
@@ -1959,10 +1959,13 @@ public class SettingsProvider extends ContentProvider { | ||
return false; | ||
} | ||
if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") | ||
- || mimeType.equals("application/x-flac"))) { | ||
+ || mimeType.equals("application/x-flac") | ||
+ // also check for video ringtones | ||
+ || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) { | ||
Slog.e(LOG_TAG, | ||
"mutateSystemSetting for setting: " + name + " URI: " + audioUri | ||
- + " ignored: associated mimeType: " + mimeType + " is not an audio type"); | ||
+ + " ignored: associated MIME type: " + mimeType | ||
+ + " is not a recognized audio or video type"); | ||
return false; | ||
} | ||
} | ||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
84 changes: 84 additions & 0 deletions
84
...ase/99_0305-enforce-limits-for-VisualVoicemailSmsFilterSettings-properties.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
From 226a778cc19f7be15107f0ed9a44a831c4e49a41 Mon Sep 17 00:00:00 2001 | ||
From: Thomas Stuart <[email protected]> | ||
Date: Thu, 6 Jun 2024 22:36:40 +0000 | ||
Subject: [PATCH] enforce limits for VisualVoicemailSmsFilterSettings | ||
properties | ||
|
||
- clientPrefix is now limited to 256 characters | ||
- originatingNumbers is now limited to a list size of 100 and | ||
each element is also limited to 256 characters | ||
|
||
Bug: 308932906 | ||
Test: CTS | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e59a05ecadb572df4b76c98e63165505deefc660) | ||
Merged-In: Id4b4358b141bb211a7e340b979774850b4bd2403 | ||
Change-Id: Id4b4358b141bb211a7e340b979774850b4bd2403 | ||
--- | ||
.../VisualVoicemailSmsFilterSettings.java | 27 +++++++++++++++++++ | ||
1 file changed, 27 insertions(+) | ||
|
||
diff --git a/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java b/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java | ||
index eadb726bf63b..2b515c9b5cd1 100644 | ||
--- a/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java | ||
+++ b/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java | ||
@@ -64,6 +64,14 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable { | ||
* @hide | ||
*/ | ||
public static final int DEFAULT_DESTINATION_PORT = DESTINATION_PORT_ANY; | ||
+ /** | ||
+ * @hide | ||
+ */ | ||
+ public static final int MAX_STRING_LENGTH = 256; | ||
+ /** | ||
+ * @hide | ||
+ */ | ||
+ public static final int MAX_LIST_SIZE = 100; | ||
|
||
/** | ||
* Builder class for {@link VisualVoicemailSmsFilterSettings} objects. | ||
@@ -82,11 +90,16 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable { | ||
/** | ||
* Sets the client prefix for the visual voicemail SMS filter. The client prefix will appear | ||
* at the start of a visual voicemail SMS message, followed by a colon(:). | ||
+ * @throws IllegalArgumentException if the string length is greater than 256 characters | ||
*/ | ||
public Builder setClientPrefix(String clientPrefix) { | ||
if (clientPrefix == null) { | ||
throw new IllegalArgumentException("Client prefix cannot be null"); | ||
} | ||
+ if (clientPrefix.length() > MAX_STRING_LENGTH) { | ||
+ throw new IllegalArgumentException("Client prefix cannot be greater than " | ||
+ + MAX_STRING_LENGTH + " characters"); | ||
+ } | ||
mClientPrefix = clientPrefix; | ||
return this; | ||
} | ||
@@ -95,11 +108,25 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable { | ||
* Sets the originating number allow list for the visual voicemail SMS filter. If the list | ||
* is not null only the SMS messages from a number in the list can be considered as a visual | ||
* voicemail SMS. Otherwise, messages from any address will be considered. | ||
+ * @throws IllegalArgumentException if the size of the originatingNumbers list is greater | ||
+ * than 100 elements | ||
+ * @throws IllegalArgumentException if an element within the originatingNumbers list has | ||
+ * a string length greater than 256 | ||
*/ | ||
public Builder setOriginatingNumbers(List<String> originatingNumbers) { | ||
if (originatingNumbers == null) { | ||
throw new IllegalArgumentException("Originating numbers cannot be null"); | ||
} | ||
+ if (originatingNumbers.size() > MAX_LIST_SIZE) { | ||
+ throw new IllegalArgumentException("The originatingNumbers list size cannot be" | ||
+ + " greater than " + MAX_STRING_LENGTH + " elements"); | ||
+ } | ||
+ for (String num : originatingNumbers) { | ||
+ if (num != null && num.length() > MAX_STRING_LENGTH) { | ||
+ throw new IllegalArgumentException("Numbers within the originatingNumbers list" | ||
+ + " cannot be greater than" + MAX_STRING_LENGTH + " characters"); | ||
+ } | ||
+ } | ||
mOriginatingNumbers = originatingNumbers; | ||
return this; | ||
} | ||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
Oops, something went wrong.