Android Marshmallow AOSP Changes

Changes from 6.0.1_r77 (M4B30Z) to 6.0.1_r78 (MOB31S):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (36):

  • device/asus/flo-kernel with 2 change(s)
    • c8a3abb : flo: update prebuilt kernel
    • d999d3f : flo: update prebuilt kernel

  • platform/build with 42 change(s)
    • d2fa587 : MOB31S
    • e3c252a : MOB31R
    • d4b3914 : Updating Security String to 2017-01-05 on mnc-dev
    • 4a6e696 : Updating Security string to 2017-01-01 on mnc-dev
    • 99972ca : MOB31Q
    • 4dfa9d6 : MOB31P
    • 0493be9 : MOB31O
    • ef46365 : Updating Security String to 2016-12-05
    • 874cb89 : Updating Security String to 2016-12-01
    • df277b3 : MOB31N
    • b045f91 : MOB31M
    • c3c1d43 : MOB31K
    • 93b6278 : MOB31J
    • 9dd3e01 : MOB31I
    • 54e0e32 : Updating Security String to 2016-11-05 on mnc-dev b/31618336
    • a696488 : Updating Security String to 2016-11-01 on mnc-dev b/31618336
    • f26f928 : MOB31H
    • 51e569c : MOB31G
    • c49265a : MOB31F
    • 7d3077c : Update comments around PLATFORM_SECURITY_LEVEL
    • f03c12b : Update Security String to 2016-10-05 to Platform and CTS for October Security Updates (rebased)
    • a9e57f6 : Update Security String to 2016-10-01 to platform and CTS for October Security
    • 633dd52 : "MOB31E"
    • a65a6c4 : Update Security String to 2016-09-06 to platform and CTS for September Security (+Quadrooter,-PZ)
    • 52f12c7 : "MOB31D"
    • 2f6515c : Update Security String to 2016-09-07 to platform and CTS for September respin
    • b24a529 : "MOB31C"
    • 827f04b : Updating security string to 2016-09-05 to platform and CTS in preparation for 2016 September OTA on mnc-dev
    • 92212a9 : "MOB31B"
    • f4607de : Updating security string to 2016-09-01 to platform and CTS in preparation for 2016 September OTA
    • 5d5a58e : "MOB30Z"
    • a8994a2 : "MOB30Y"
    • 7441560 : "MOB30X"
    • c5f5bf3 : "MOB30W"
    • 2f9b1a7 : "MOB30V"
    • 36e2d00 : MOB30U
    • 82d53be : "MOB30T"
    • 6d81a4a : "MOB30S"
    • 01e9203 : disable unpriv perf by default in user{,debug} builds
    • 20dde10 : "MOB30R"
    • 067d200 : Updating security string to 2016-08-05 - directly to mnc-mr2-release
    • f665835 : MOB30Q

  • platform/external/boringssl with 2 change(s)
    • 9120fca : Re-add |EVP_des_ede_cbc|.
    • 43270fd : Fix NID of |EVP_CIPHER des3_cbc|.

  • platform/external/bouncycastle with 1 change(s)
    • 2096fd1 : GCMParameters: in ASN1 encoding, use 12 when no value is specified

  • platform/external/chromium-webview with 1 change(s)
    • c26dfdc : WebView AOSP Integration Request - 52.0.2743.100

  • platform/external/conscrypt with 2 change(s)
    • fe809da : Fix typo in name of des-ede mapping
    • 5af5e93 : Use SSL_session_reused to check when a session was reused

  • platform/external/expat with 3 change(s)
    • a11ff32 : Security Vulnerability - CVE-2012-6702 and CVE-2016-5300
    • 52ac633 : Fix CVE-2016-0718: Expat XML Parser Crashes on Malformed Input
    • 13b40c2 : Upgrade to expat 2.1.1

  • platform/external/flac with 1 change(s)
    • b93c406 : src/libFLAC/stream_decoder.c : Fix NULL de-reference.

  • platform/external/jhead with 2 change(s)
    • cbbecf7 : Fix possible out of bounds accesses
    • bae6715 : Fix possible out of bounds access

  • platform/external/libavc with 8 change(s)
    • 6c6cbcf : Decoder: Fixes in handling errors in Mbaff clips.
    • 2826cc8 : Decoder: Ignore few dpb errors
    • d9bcf01 : Decoder: Fixes for handling errors in multi-slice MB Aff streams
    • 3d14922 : Fix in the case of invalid SPS PPS
    • 7109ce3 : Fixed error concealment when no MBs are decoded in the current pic
    • 326fe99 : Decoder: Initialize first_pb_nal_in_pic for error slices
    • 7554755 : Decoder: Do not conceal slices with invalid SPS/PPS
    • a78887b : Decoder: Fix slice number increment for error clips

  • platform/external/libhevc with 1 change(s)
    • 5456474 : Handle invalid slice_address in slice header

  • platform/external/libnl with 1 change(s)
    • b139feb : libnl: Check data length in nla_reserve / nla_put

  • platform/external/libopus with 1 change(s)
    • 987e798 : Ensure that NLSF cannot be negative when computing a min distance between them

  • platform/external/libvpx with 1 change(s)
    • f0ebeac : vp8:fix threading issues

  • platform/external/sepolicy with 2 change(s)
    • 21658af : Allow the zygote to stat all files it opens.
    • f2b123a : expose control over unpriv perf access to shell

  • platform/external/sonivox with 1 change(s)
    • cadfb7a : Fix NULL pointer dereference

  • platform/external/tremolo with 1 change(s)
    • 261bb1f : Tremolo: fix ARM assembly code for decode_map type 3 case

  • platform/frameworks/av with 43 change(s)
    • 89c5a19 : Fix security vulnerability: Effect command might allow negative indexes
    • 7b78d2b : Make VBRISeeker more robust
    • dd5c245 : Effects: Check get parameter command size
    • 5e00dcb : Fix security vulnerability: Equalizer command might allow negative indexes
    • 7a9dc07 : Visualizer: Check capture size and latency parameters
    • 4d5cd8d : Fix potential NULL dereference in Visualizer effect
    • 929b813 : IOMX: convert ANWB to Gralloc meta if using useBuffer in the same process
    • 61b1572 : stagefright: remove allottedSize equality check in IOMX::useBuffer
    • c13a507 : stagefright: don't fail MediaCodec.configure if clients use store-meta key
    • c2a27ba : IOMX: do not clear buffer if it's allocated by component
    • 8cbd1c5 : IOMX: allow configuration after going to loaded state
    • b1463a7 : IOMX: restrict conversion of ANWB to gralloc source in emptyBuffer
    • b5203ab : Limit mp4 atom size to something reasonable
    • 2af81c2 : SampleIterator: clear members on seekTo error
    • c2dd82b : Check mprotect result
    • 1280356 : Radio: get service by value.
    • d8cf9aa : SoundTrigger: get service by value.
    • ace612c : Fix stack content leak vulnerability in mediaserver
    • 23ffe42 : Fix potential overflow in Visualizer effect
    • bc8a45f : IOMX: work against metadata buffer spoofing
    • 4b459da : MediaPlayerService: allow next player to be NULL
    • 45f500a : Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d.
    • 497fcd7 : Add EFFECT_CMD_SET_PARAM parameter checking
    • 4d96096 : soundtrigger: add size check on sound model and recogntion data
    • 54ac346 : MediaPlayerService: avoid invalid static cast
    • 173e6eb : better validation lengths of strings in ID3 tags
    • b52c757 : SoftMPEG4: Check the buffer size before writing the reference frame.
    • c174665 : omx: prevent input port enable/disable for software codecs
    • d67bab6 : Fix build
    • ae1810f : Fix build
    • 36dd3c2 : Add bound checks to utf16_to_utf8
    • 50643aa : fix build
    • ee44d7c : SoftVPX: fix nFilledLen overflow
    • 97837bb : OMXCodec: check IMemory::pointer() before using allocation
    • f9391b3 : Fix corruption via buffer overflow in mediaserver
    • 9871fae : SoftMP3: memset safely
    • 030001d : Impose a size bound for dynamically allocated tables in stbl.
    • 9cd8c32 : Check effect command reply size in AudioFlinger
    • a4567c6 : SoftHEVC: Exit gracefully in case of decoder errors
    • 42a25c4 : Don't use sp&
    • 8e438e1 : SoftAAC2: fix crash on all-zero adts buffer
    • 590d172 : Fix potential overflow
    • d112f7d : Resolve a merge issue between lmp and lmp-mr1+

  • platform/frameworks/base with 20 change(s)
    • db66afe : resolve merge conflicts of 89aa6fb to mnc-dr-dev
    • 9494689 : Fix idmap leak in zygote process
    • c3ee762 : Zygote: Additional whitelisting for legacy devices.
    • 7aa8ec2 : Zygote: Additional whitelists for runtime overlay / other static resources.
    • 80b6292 : Public volumes belong to a single user.
    • cc3a845 : Zygote : Block SIGCHLD during fork.
    • ef525e8 : Avoid crashing when downloading MitM'd PAC that is too big am: 7d2198b586 am: 9c1cb7a273 am: 6634e90ad7 am: 66ee2296a9
    • 4f0dec2 : Fix build break due to automerge of 7d2198b5
    • 77fa5d9 : Ensure munmap matches mmap
    • 26f6eb7 : Fix setPairingConfirmation permissions issue (2/2)
    • b8be33b : Backport changes to whitelist sockets opened by the zygote.
    • a1e1881 : Process: Fix communication with zygote.
    • 1d6c0ef : Fix vulnerability in LockSettings service
    • f0ea4c8 : Add bound checks to utf16_to_utf8
    • 28460c2 : Check caller's uid before allowing notification policy access.
    • 81be4e3 : Fix string equality comparison
    • 55271d4 : WifiEnterpriseConfiguration: Do not print credentials in toString
    • 4e4743a : Add pm operation to set user restrictions.
    • 01875b0 : Reduce shell power over user management.
    • e7cf91a : Don't trust callers to supply app info to bindBackupAgent()

  • platform/frameworks/ex with 2 change(s)
    • 66d6c8a : resolve merge conflicts of 3802db4 to mnc-dev
    • 0eedb18 : Handle color bounds correctly in GIF decode.

  • platform/frameworks/native with 4 change(s)
    • b5c8da6 : Fix SF security vulnerability: 32660278
    • 23e7c1d : ServiceManager: Allow system services running as secondary users to add services
    • 1ecb999 : Region: Detect malicious overflow in unflatten
    • 3bcf0ca : Add FrameStats default constructor

  • platform/frameworks/opt/net/wifi with 5 change(s)
    • f59170d : resolve merge conflicts of 849c5c7 to mnc-dev
    • ef5fc44 : wifinative jni: check array length to prevent stack overflow
    • d9be1b6 : ANQPFactory: catch all potential parsing errors
    • b2219ef : VenueNameElement: fix off-by-one enum bounds check
    • a209ff1 : Deal correctly with short strings

  • platform/frameworks/opt/telephony with 2 change(s)
    • 7217535 : Do not allow premium SMS during SuW
    • f47bc30 : backport security fix: avoid set NITZ time to 2038

  • platform/hardware/qcom/audio with 4 change(s)
    • a2748c1 : Fix security vulnerability: Effect command might allow negative indexes
    • abf8e5c : Fix security vulnerability: Equalizer command might allow negative indexes
    • 83cda43 : Fix potential NULL dereference in Visualizer effect
    • a573330 : Fix potential overflow in Visualizer effect

  • platform/hardware/qcom/media with 1 change(s)
    • ee3e74f : mm-video-v4l2: vdec: Disallow input usebuffer for secure case

  • platform/hardware/ril with 1 change(s)
    • 87c2ac6 : Replace variable-length arrays on stack with malloc.

  • platform/libcore with 2 change(s)
    • a1e0873 : IDN: Fix handling of long domain names.
    • c95c72e : CipherTest: in ASN1 encoding for GCM, no value for tag size means 12

  • platform/packages/apps/Bluetooth with 1 change(s)
    • 0665d10 : Fix setPairingConfirmation permissions issue (1/2)

  • platform/packages/apps/ContactsCommon with 1 change(s)
    • 5530f85 : resolve merge conflicts of e20a370 to mnc-dev

  • platform/packages/apps/Email with 2 change(s)
    • 9046b84 : Limit account id and id to longs
    • cb2dfe4 : stop exporting EmailAccountCacheProvider

  • platform/packages/apps/Nfc with 1 change(s)
    • e1bc9bb : Allow system_server access to NFC reader mode API.

  • platform/packages/providers/DownloadProvider with 3 change(s)
    • 1f66449 : Enforce calling identity before clearing.
    • 3f2cf47 : Revert "Enforce calling identity before clearing."
    • 6f753b3 : Enforce calling identity before clearing.

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • c8f249d : 30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid

  • platform/packages/services/Telephony with 4 change(s)
    • 8696a16 : Catch SIP exceptions which can crash Phone process on answer.
    • c3845bb : Unexport OmtpMessageReceiver
    • e9faf0b : Restrict SipProfiles to profiles directory
    • c76129b : Make TTY broadcasts protected

  • platform/system/core with 9 change(s)
    • e8e6d11 : Fix out of bound access in libziparchive
    • dc7cf22 : liblog: add __android_log_close()
    • e8ee403 : liblog: add __android_log_close()
    • b825f11 : Fix vold vulnerability in FrameworkListener
    • 4cc6d3d : debuggerd: fix missed use of ptrace(PTRACE_ATTACH).
    • f483354 : adb: use asocket's close function when closing.
    • 014b159 : adb: switch the socket list mutex to a recursive_mutex.
    • 3c28cda : libutils/Unicode.cpp: Correct length computation and add checks for utf16-utf8
    • 671d62d : add a property for controlling perf_event_paranoid

  • platform/system/media with 3 change(s)
    • 6555c97 : Fix potential overflow in Visualizer effect
    • 8d0a86a : Camera metadata: Check for inconsistent data count
    • 882db90 : Camera: Prevent data size overflow