Update AVB hash header image_size to match unpacked original_image_size.

Fixes #8389

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: kousu

native/src/boot/bootimg.cpp

@@ -1019,10 +1019,22 @@ void repack(Utf8CStr src_img, Utf8CStr out_img, bool skip_comp) {
         memcpy(footer, boot.avb_footer, sizeof(AvbFooter));
         footer->original_image_size = __builtin_bswap64(aosp_img_size);
         footer->vbmeta_offset = __builtin_bswap64(off.vbmeta);
+
+        auto vbmeta = reinterpret_cast<AvbVBMetaImageHeader*>(out.data() + off.vbmeta);
+
         if (check_env("PATCHVBMETAFLAG")) {
-            auto vbmeta = reinterpret_cast<AvbVBMetaImageHeader*>(out.data() + off.vbmeta);
             vbmeta->flags = __builtin_bswap32(3);
         }
+
+        // Sync hash descriptor image_size with the new AOSP portion size.
+        // Without this, some bootloaders (e.g. Motorola) reject images.
+        for (auto &desc : vbmeta->descriptors()) {
+            if (__builtin_bswap64(desc.tag) != AVB_DESCRIPTOR_TAG_HASH)
+                continue;
+            auto &hd = reinterpret_cast<AvbHashDescriptor &>(desc);
+            hd.image_size = __builtin_bswap64(aosp_img_size);
+            break;
+        }
     }
 
     if (boot.flags[DHTB_FLAG]) {

native/src/boot/bootimg.hpp

@@ -69,6 +69,51 @@ struct AvbFooter {
     uint8_t reserved[28];
 } __attribute__((packed));
 
+// https://android.googlesource.com/platform/external/avb/+/refs/heads/android11-release/libavb/avb_descriptor.h
+enum AvbDescriptorTag : uint64_t {
+    AVB_DESCRIPTOR_TAG_PROPERTY        = 0,
+    AVB_DESCRIPTOR_TAG_HASHTREE        = 1,
+    AVB_DESCRIPTOR_TAG_HASH            = 2,
+    AVB_DESCRIPTOR_TAG_KERNEL_CMDLINE  = 3,
+    AVB_DESCRIPTOR_TAG_CHAIN_PARTITION = 4,
+};
+
+struct AvbDescriptor {
+    uint64_t tag;
+    uint64_t num_bytes;  // size of descriptor body (excludes this header)
+} __attribute__((packed));
+
+struct AvbDescriptorIterator {
+    AvbDescriptor *ptr;
+    AvbDescriptor &operator*() const { return *ptr; }
+    AvbDescriptor *operator->() const { return ptr; }
+    bool operator!=(const AvbDescriptorIterator &o) const { return ptr != o.ptr; }
+    AvbDescriptorIterator &operator++() {
+        ptr = reinterpret_cast<AvbDescriptor *>(
+            reinterpret_cast<uint8_t *>(ptr) + sizeof(AvbDescriptor) + __builtin_bswap64(ptr->num_bytes));
+        return *this;
+    }
+};
+
+struct AvbDescriptorRange {
+    AvbDescriptor *first, *last;
+    AvbDescriptorIterator begin() const { return {first}; }
+    AvbDescriptorIterator end()   const { return {last}; }
+};
+
+// https://android.googlesource.com/platform/external/avb/+/refs/heads/android11-release/libavb/avb_hash_descriptor.h
+struct AvbHashDescriptor {
+    AvbDescriptor header;  // tag == 2
+    uint64_t image_size;
+    uint8_t hash_algorithm[32];
+    uint32_t partition_name_len;
+    uint32_t salt_len;
+    uint32_t digest_len;
+    uint32_t flags;
+    uint8_t reserved[60];
+    // followed by: partition_name, salt, digest (variable length)
+} __attribute__((packed));
+
 // https://android.googlesource.com/platform/external/avb/+/refs/heads/android11-release/libavb/avb_vbmeta_image.h
 struct AvbVBMetaImageHeader {
     uint8_t magic[AVB_MAGIC_LEN];
@@ -92,6 +137,15 @@ struct AvbVBMetaImageHeader {
     uint32_t rollback_index_location;
     uint8_t release_string[AVB_RELEASE_STRING_SIZE];
     uint8_t reserved[80];
+
+    AvbDescriptorRange descriptors() const {
+        auto *base = reinterpret_cast<const uint8_t *>(this) + sizeof(AvbVBMetaImageHeader);
+        base += __builtin_bswap64(authentication_data_block_size);
+        base += __builtin_bswap64(descriptors_offset);
+        auto *first = reinterpret_cast<AvbDescriptor *>(const_cast<uint8_t *>(base));
+        auto *last  = reinterpret_cast<AvbDescriptor *>(const_cast<uint8_t *>(base) + __builtin_bswap64(descriptors_size));
+        return {first, last};
+    }
 } __attribute__((packed));
 
 /*********************