ASB JAN 2025 Security Patches integration

aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch

@@ -20,7 +20,7 @@ index 419ff1aadc..fbbe777754 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2023-05-05
-+    PLATFORM_SECURITY_PATCH := 2024-12-01
++    PLATFORM_SECURITY_PATCH := 2025-01-01
  endif
 
  include $(BUILD_SYSTEM)/version_util.mk

aosp_diff/preliminary/external/giflib/0001-Fix-potential-overflow-when-calculating-ImageSize.bulletin.patch

@@ -0,0 +1,38 @@
+From 21f1b1b5945f1eadef0707732cec3f150916ac42 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <[email protected]>
+Date: Tue, 17 Sep 2024 21:02:42 +0000
+Subject: [PATCH] Fix potential overflow when calculating ImageSize
+
+The modified if statement doesn't check the size of ImageDesc.Width and
+ImageDesc.Height. If ImageDesc.Width and ImageDesc.Height are larger
+than SIZE_MAX, then ImageSize overflows.
+
+Bug: 355461643
+Test: TreeHugger
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90a054f323a9b460a79e7619e3669dd8b9f94338)
+Merged-In: Ieef04e789acf783eda2dff2cd9284ed204f1d117
+Change-Id: Ieef04e789acf783eda2dff2cd9284ed204f1d117
+---
+ dgif_lib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/dgif_lib.c b/dgif_lib.c
+index 66a1d6a..7b43a6a 100644
+--- a/dgif_lib.c
++++ b/dgif_lib.c
+@@ -1099,8 +1099,10 @@ DGifSlurp(GifFileType *GifFile)
+
+               sp = &GifFile->SavedImages[GifFile->ImageCount - 1];
+               /* Allocate memory for the image */
+-              if (sp->ImageDesc.Width < 0 && sp->ImageDesc.Height < 0 &&
+-                      sp->ImageDesc.Width > (INT_MAX / sp->ImageDesc.Height)) {
++              if (sp->ImageDesc.Width <= 0 ||
++                      sp->ImageDesc.Height <= 0 ||
++                      sp->ImageDesc.Width >
++                          (INT_MAX / sp->ImageDesc.Height)) {
+                   return GIF_ERROR;
+               }
+               ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0226-RingtoneManager-verify-default-ringtone-is-audio.bulletin.patch

@@ -0,0 +1,63 @@
+From 88cf23cfe50b80aa9d65cc22946de1765972cb80 Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <[email protected]>
+Date: Wed, 7 Dec 2022 04:36:46 +0000
+Subject: [PATCH] RingtoneManager: verify default ringtone is audio
+
+When a ringtone picker tries to set a ringtone through
+RingtoneManager.setActualDefaultRingtoneUri (also
+called by com.android.settings.DefaultRingtonePreference),
+verify the mimeType can be obtained (not found when caller
+doesn't have access to it) and it is an audio resource.
+
+Bug: 205837340
+Test: atest android.media.audio.cts.RingtoneManagerTest
+(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b8c2d03b720f0cc200ac59f6cfb411fddc3b119c)
+Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
+Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
+---
+ media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
+index 27727699d05c..19720c2ed8f9 100644
+--- a/media/java/android/media/RingtoneManager.java
++++ b/media/java/android/media/RingtoneManager.java
+@@ -776,10 +776,10 @@ public class RingtoneManager {
+
+         return ringtoneUri;
+     }
+-    
++
+     /**
+      * Sets the {@link Uri} of the default sound for a given sound type.
+-     * 
++     *
+      * @param context A context used for querying.
+      * @param type The type whose default sound should be set. One of
+      *            {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or
+@@ -795,6 +795,21 @@ public class RingtoneManager {
+         if(!isInternalRingtoneUri(ringtoneUri)) {
+             ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId());
+         }
++
++        if (ringtoneUri != null) {
++            final String mimeType = resolver.getType(ringtoneUri);
++            if (mimeType == null) {
++                Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
++                        + " ignored: failure to find mimeType (no access from this context?)");
++                return;
++            }
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
++                Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
++                        + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                return;
++            }
++        }
++
+         Settings.System.putStringForUser(resolver, setting,
+                 ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId());
+
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0227-RingtoneManager-allow-video-ringtone-URI.bulletin.patch

@@ -0,0 +1,79 @@
+From 76e75c11b5085582d97d39ec09409a4011b0849b Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <[email protected]>
+Date: Mon, 24 Jun 2024 17:29:14 -0700
+Subject: [PATCH] RingtoneManager: allow video ringtone URI
+
+When checking the MIME type for the default ringtone, also
+allow it to refer to video content.
+
+Bug: 205837340
+Test: see POC + atest android.media.audio.cts.RingtoneManagerTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:de83ef4f51cad7ea1eb91f5d328d79b719251abe)
+Merged-In: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+Change-Id: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+---
+ media/java/android/media/RingtoneManager.java         |  8 ++++++--
+ .../android/providers/settings/SettingsProvider.java  | 11 +++++++----
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
+index 19720c2ed8f9..368d27a174c3 100644
+--- a/media/java/android/media/RingtoneManager.java
++++ b/media/java/android/media/RingtoneManager.java
+@@ -803,9 +803,13 @@ public class RingtoneManager {
+                         + " ignored: failure to find mimeType (no access from this context?)");
+                 return;
+             }
+-            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+-                        + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type:" + mimeType
++                        + " is not a recognized audio or video type");
+                 return;
+             }
+         }
+diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+index f80d587058f1..c387b0db79c4 100644
+--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+@@ -1928,7 +1928,7 @@ public class SettingsProvider extends ContentProvider {
+             cacheName = Settings.System.ALARM_ALERT_CACHE;
+         }
+         if (cacheName != null) {
+-            if (!isValidAudioUri(name, value)) {
++            if (!isValidMediaUri(name, value)) {
+                 return false;
+             }
+             final File cacheFile = new File(
+@@ -1963,7 +1963,7 @@ public class SettingsProvider extends ContentProvider {
+         }
+     }
+
+-    private boolean isValidAudioUri(String name, String uri) {
++    private boolean isValidMediaUri(String name, String uri) {
+         if (uri != null) {
+             Uri audioUri = Uri.parse(uri);
+             if (Settings.AUTHORITY.equals(
+@@ -1981,10 +1981,13 @@ public class SettingsProvider extends ContentProvider {
+                 return false;
+             }
+             if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
+-                    || mimeType.equals("application/x-flac"))) {
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Slog.e(LOG_TAG,
+                         "mutateSystemSetting for setting: " + name + " URI: " + audioUri
+-                        + " ignored: associated mimeType: " + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type: " + mimeType
++                        + " is not a recognized audio or video type");
+                 return false;
+             }
+         }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0228-enforce-limits-for-VisualVoicemailSmsFilterSettings-properties.bulletin.patch

@@ -0,0 +1,84 @@
+From 6d42793c60a14b2d81d62259b55e9fa9fa9db444 Mon Sep 17 00:00:00 2001
+From: Thomas Stuart <[email protected]>
+Date: Thu, 6 Jun 2024 22:36:40 +0000
+Subject: [PATCH] enforce limits for VisualVoicemailSmsFilterSettings
+ properties
+
+- clientPrefix is now limited to 256 characters
+- originatingNumbers is now limited to a list size of 100 and
+  each element is also limited to 256 characters
+
+Bug: 308932906
+Test: CTS
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8201f7239c50316aa3c36d90e9f90d0a29e74be1)
+Merged-In: Id4b4358b141bb211a7e340b979774850b4bd2403
+Change-Id: Id4b4358b141bb211a7e340b979774850b4bd2403
+---
+ .../VisualVoicemailSmsFilterSettings.java     | 27 +++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java b/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java
+index eadb726bf63b..2b515c9b5cd1 100644
+--- a/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java
++++ b/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java
+@@ -64,6 +64,14 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable {
+      * @hide
+      */
+     public static final int DEFAULT_DESTINATION_PORT = DESTINATION_PORT_ANY;
++    /**
++     * @hide
++     */
++    public static final int MAX_STRING_LENGTH = 256;
++    /**
++     * @hide
++     */
++    public static final int MAX_LIST_SIZE = 100;
+
+     /**
+      * Builder class for {@link VisualVoicemailSmsFilterSettings} objects.
+@@ -82,11 +90,16 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable {
+         /**
+          * Sets the client prefix for the visual voicemail SMS filter. The client prefix will appear
+          * at the start of a visual voicemail SMS message, followed by a colon(:).
++         * @throws IllegalArgumentException if the string length is greater than 256 characters
+          */
+         public Builder setClientPrefix(String clientPrefix) {
+             if (clientPrefix == null) {
+                 throw new IllegalArgumentException("Client prefix cannot be null");
+             }
++            if (clientPrefix.length() > MAX_STRING_LENGTH) {
++                throw new IllegalArgumentException("Client prefix cannot be greater than "
++                        + MAX_STRING_LENGTH + " characters");
++            }
+             mClientPrefix = clientPrefix;
+             return this;
+         }
+@@ -95,11 +108,25 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable {
+          * Sets the originating number allow list for the visual voicemail SMS filter. If the list
+          * is not null only the SMS messages from a number in the list can be considered as a visual
+          * voicemail SMS. Otherwise, messages from any address will be considered.
++         * @throws IllegalArgumentException if the size of the originatingNumbers list is greater
++         * than 100 elements
++         * @throws IllegalArgumentException if an element within the originatingNumbers list has
++         * a string length greater than 256
+          */
+         public Builder setOriginatingNumbers(List<String> originatingNumbers) {
+             if (originatingNumbers == null) {
+                 throw new IllegalArgumentException("Originating numbers cannot be null");
+             }
++            if (originatingNumbers.size() > MAX_LIST_SIZE) {
++                throw new IllegalArgumentException("The originatingNumbers list size cannot be"
++                        + " greater than " + MAX_STRING_LENGTH + " elements");
++            }
++            for (String num : originatingNumbers) {
++                if (num != null && num.length() > MAX_STRING_LENGTH) {
++                    throw new IllegalArgumentException("Numbers within the originatingNumbers list"
++                            + " cannot be greater than" + MAX_STRING_LENGTH + " characters");
++                }
++            }
+             mOriginatingNumbers = originatingNumbers;
+             return this;
+         }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+