Android Marshmallow AOSP Changes

Changes from 6.0.1_r79 (MOB31T) to 6.0.1_r80 (MOB31Z):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (56):

  • device/htc/flounder with 1 change(s)
    • ddff829 : Fix security issue in Visualizer effect

  • platform/bionic with 2 change(s)
    • 3790036 : linker: remove link from external library on unload
    • 6c63ba5 : Check for bad packets in getaddrinfo.c's getanswer.

  • platform/bootable/recovery with 4 change(s)
    • eb9bed7 : Add a checker for signature boundary in verifier
    • 4245022 : Add a checker for signature boundary in verifier
    • 6896261 : Fix integer overflows in recovery procedure.
    • 84de5c6 : Fix integer overflows in recovery procedure.

  • platform/build with 24 change(s)
    • 77fe130 : Updating security string to 2017-07-01 on mnc (cherry picked from commit dce5c7b9dcf30d3d8582e704733b6d702be4e64b)
    • 320f9ba : Version bump to MOB31Y
    • 2f1cb00 : MOB31X
    • 87ab43a : MOB31W
    • dfb6f45 : MOB31V
    • 56439f8 : MOB31U
    • ba875fc : Updating Security string to 2017-01-01 on mnc-dev
    • bc10344 : Updating Security String to 2016-12-01
    • ecca1c8 : Updating Security String to 2016-11-01 on mnc-dev b/31618336
    • d7a7564 : Update Security String to 2016-10-01 to platform and CTS for October Security
    • 96e5bb1 : Updating security string to 2016-09-01 to platform and CTS in preparation for 2016 September OTA
    • 60a6efd : Update security patch string to 2016-08-01 - For Partners only
    • 468b3b9 : disable unpriv perf by default in user{,debug} builds
    • 736c4a4 : Updating security string to 2016-07-01
    • 212dcf1 : Update security patch string to 2016-06-01
    • 4d05c3f : Update Security String to 2016-05-01 in preparation for May 2016 Security OTA
    • 772db68 : "MMB29X"
    • a6860b3 : Update Security String to 2016-04-02 in preparation for April 2016 Security OTA v2 - kernel updates with patches for CVE-2015-1805
    • 2d0200f : "MMB29W"
    • 0ad1f65 : Updating security string patch to 2016-04-01
    • bc3ca8c : Updating security string patch to 2016-04-01
    • cb001d5 : Updating security patch string to 2016-03-01
    • 00b242b : Update Security String to 2016-02-01
    • 22dac03 : Update Security String to 2016-01-01 to mnc-dev

  • platform/cts with 2 change(s)
    • 341f1d4 : MediaServerCrashTest: add testDrmManagerClientReset.
    • f9ec676 : CTS test for robust handling of invalid cmap

  • platform/dalvik with 1 change(s)
    • 2db6ba9 : Fix potential buffer overrun.

  • platform/external/aac with 3 change(s)
    • 84da677 : Fix aacDecoder_drcExtractAndMap()
    • 914c690 : Fix stack corruption happening in aacDecoder_drcExtractAndMap()
    • 2181968 : Fix stack corruption happening in aacDecoder_drcExtractAndMap()

  • platform/external/boringssl with 8 change(s)
    • d21457b : CVE 2016-2109 fix
    • d1d5a84 : Rewrite BN_bn2dec.
    • 94c61cf : Rewrite BN_bn2dec.
    • b35c285 : Re-add |EVP_des_ede_cbc|.
    • 85a9811 : Fix NID of |EVP_CIPHER des3_cbc|.
    • 7c2edb9 : Fix encoding bug in i2c_ASN1_INTEGER
    • e2e3a5c : Remove support for mis-encoded PKCS#8 DSA keys.
    • ff60157 : Remove support for mis-encoded PKCS#8 DSA keys.

  • platform/external/bouncycastle with 3 change(s)
    • c786a67 : GCMParameters: in ASN1 encoding, use 12 when no value is specified
    • bc445d7 : GCMParameters: fix insecure tag size
    • eac60a3 : GCMParameters: fix insecure tag size

  • platform/external/chromium-webview with 1 change(s)
    • 2dfacfd : WebView AOSP Integration Request - 52.0.2743.100

  • platform/external/conscrypt with 9 change(s)
    • 0f4b04e : Fix typo in name of des-ede mapping
    • f9dc37e : Use SSL_session_reused to check when a session was reused
    • 5796f69 : OpenSSLCipher: reset AAD when necessary
    • 348cbdc : OpenSSLCipher: multiple calls to updateAAD were ignored
    • 3312e10 : Fix updateAAD when offset is not 0
    • 5dafbe6 : OpenSSLCipher: reset AAD when necessary
    • 42a8dad : OpenSSLCipher: multiple calls to updateAAD were ignored
    • 4cc285a : Prevent duplicate certificates in TrustedCertificateIndex
    • c800654 : Cache intermediate CA separately

  • platform/external/dhcpcd with 2 change(s)
    • 2a5eac9 : Improve length checks in DHCP Options parsing of dhcpcd.
    • cee18fd : Improve length checks in DHCP Options parsing of dhcpcd.

  • platform/external/expat with 4 change(s)
    • 0c447e5 : Fix cast from pointer to integer of different size
    • 96c4757 : Security Vulnerability - CVE-2012-6702 and CVE-2016-5300
    • cfff574 : Fix CVE-2016-0718: Expat XML Parser Crashes on Malformed Input
    • 18c7d37 : Upgrade to expat 2.1.1

  • platform/external/flac with 3 change(s)
    • 4a3b548 : src/libFLAC/stream_decoder.c : Fix NULL de-reference.
    • 62ba70e : Avoid free-before-initialize vulnerability in heap
    • 984cac7 : Avoid free-before-initialize vulnerability in heap

  • platform/external/jhead with 2 change(s)
    • e923f0b : Fix possible out of bounds accesses
    • 3cb24f5 : Fix possible out of bounds access

  • platform/external/libavc with 68 change(s)
    • bfcb407 : Decoder: Initialize MB info buffer to zero.
    • 6bdb902 : Decoder: Fix end of bitstream error.
    • a9427f1 : Decoder: Fix allocation for Mbaff weight matrix
    • 97b1d82 : Decoder: Fixed flag u1_top_bottom_decoded.
    • 0a559ba : Decoder: Added an error check while parsing PPS.
    • 103cc4c : Fix stack buffer overflow in ih264d_process_intra_mb
    • 1a9219e : Decoder: Fixes in accessing mbaff flag in error cases
    • 122d0d0 : Fix in the case of MMCO 3 (long term reference idx).
    • 1d5cb46 : Decoder: Fixed number of MB calculation for interlaced error streams
    • 7f3e5c6 : Decoder: Fix in reference list initialization.
    • ad3f6e4 : Fixing a check in ih264d_parse_slice.c
    • 151ff76 : :Decoder: Moved end of pic processing to end of decode call
    • 1762feb : Decoder: Treat first slice in a picture as part of new picture always
    • ca5a94f : resolve merge conflicts of 3654ad0 to mnc-dr-dev
    • 7b38293 : Decoder: Fixed initialization of first_slice_in_pic
    • ed7d70d : Fix in returning end of bitstream error for MBAFF
    • 4f91f55 : Decoder: Initialize default reference buffers for all pictures
    • 97c26af : Decoder: Return correct error code for slice header errors
    • c5f9133 : Decoder: Fixes an out of bound write in bitstream buffer
    • d6fe55b : Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read
    • 41861da : Decoder: Fix in checking first_mb_in_slice
    • 316495b : Decoder: Increase memory allocation for weights & offsets for interlaced clips
    • bb3eddb : Decoder: Fixed DoS in header decode when no PPS is present
    • 720607c : Decoder: Initialize ps_cur_slice-u1_mbaff_frame_flag correctly for error cases
    • b877f67 : Decoder: Fixed an out of bound access while parsing SEI
    • d10fa62 : Decoder: Fix in MB count in MBAff error handling
    • b112a58 : Call ih264d_deblock_display only for valid process calls
    • 1f1c026 : Decoder: Fixed allocation of ps_dec-ps_nbr_mb_row
    • 8ef2bce : Decoder: Fixed cur_mb_info initialization in error cases
    • f2001f0 : Decoder: Fix in error concealment in the case of Mbaff clips
    • 28c6e87 : Decoder: Fix in the case of error in the first MB in frame.
    • f693c6b : Decoder: Fix in returning incomplete frame error
    • bd6cf42 : Decoder: Fix initialization of ps_next_dpb during reference list creation
    • f570717 : Decoder: Fixed allocation of ps_dec-ps_nbr_mb_row
    • 766229e : Decoder: Fix in the case of error in the first MB in frame.
    • 65fa600 : Decoder: Fixed cur_mb_info initialization in error cases
    • aa26243 : Decoder: Fix in returning incomplete frame error
    • 7742ee4 : Decoder: Fix initialization of ps_next_dpb during reference list creation
    • a345ce3 : Decoder: Fix in error concealment in the case of Mbaff clips
    • 99fa90e : Decoder: Fix in the case of error in the first MB in frame.
    • effb5b8 : Decoder: Fixed allocation of ps_dec-ps_nbr_mb_row
    • 9614400 : Call ih264d_deblock_display only for valid process calls
    • d972d37 : Decoder: Fix in MB count in MBAff error handling
    • 22c8136 : Decoder: Fixed an out of bound access while parsing SEI
    • 7f26623 : Decoder: Initialize ps_cur_slice-u1_mbaff_frame_flag correctly for error cases
    • 04757ee : Decoder: Increase memory allocation for weights & offsets for interlaced clips
    • c5318ac : Decoder: Fixed DoS in header decode when no PPS is present
    • 5072c4b : Decoder: Fix in checking first_mb_in_slice
    • 28fa0db : Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read
    • 7f96c36 : Decoder: Fix in checking for valid profile flags
    • 9211390 : Decoder: Fixes in handling errors in Mbaff clips.
    • 12fe485 : Decoder: Ignore few dpb errors
    • e8b5026 : Decoder: Fixes for handling errors in multi-slice MB Aff streams
    • 8770172 : Fix in the case of invalid SPS PPS
    • bae6fe4 : Fixed error concealment when no MBs are decoded in the current pic
    • 9c5b618 : Decoder: Initialize first_pb_nal_in_pic for error slices
    • 9be2e53 : Decoder: Do not conceal slices with invalid SPS/PPS
    • d284be2 : Decoder: Fix slice number increment for error clips
    • ca98681 : Fix slice params for interlaced video
    • 4681781 : Decoder: Initialize slice parameters before concealing error MBs
    • 9134491 : Decoder: Memset few structures to zero to handle error clips
    • 0b23966 : Decoder: Fix for handling invalid intra mode
    • 2de988e : Decoder: Set u1_long_term_reference_flag to 0 for error concealment
    • 0b24cbe : Decoder: Fix stack underflow in CAVLC 4x4 parse functions
    • 2eddadc : Ensure ih264d_start_of_pic() is not repeated in ih264d_mark_err_slice_skip()
    • 5ac2ad8 : Ensure ih264d_start_of_pic() is not repeated in ih264d_mark_err_slice_skip()
    • b9982d4 : Decoder: Fix stack underflow in CAVLC 4x4 parse functions
    • d586400 : Decoder Update mb count after mb map is set.

  • platform/external/libhevc with 17 change(s)
    • 9f44219 : Fix heap buffer overflow while searching for valid PPS
    • a44bd29 : Check for buffer overflow in pps/slice header parsing
    • 7fa2a97 : memset SPS to zero
    • d6a57e2 : Fix reallocation for new sps
    • 673562c : resolve merge conflicts of 8dc7b42 to mnc-dr-dev
    • 6b908b5 : Set current slice ctb x and y to fill prev incomplete slice
    • 427dbba : Correct Tiles rows and cols check
    • d7c2e52 : Check only allocated mv bufs for releasing from reference
    • 69f64b6 : Fix in handling wrong cu_qp_delta
    • d739201 : Handle invalid num_reorder_pics & max_dec_pic_buffering in SPS
    • cf5b953 : Added check for invalid log2_max_transform_block_size in SPS
    • d646def : Added check for invalid log2_max_transform_block_size in SPS
    • 5146486 : Fixed out of bound reads in stack variables
    • 4f2c28d : Fixed handling invalid chroma tu size for error clips
    • 0613f3d : Fix in Chroma SAO for non-multiple of 8 height
    • f7265ad : Handle invalid slice_address in slice header
    • 24aa634 : Added few memsets to avoid uninitialized reads for error clips

  • platform/external/libmpeg2 with 15 change(s)
    • 337856a : Check Number of Skip MBs
    • 17f438e : Error Resilience - Check on as_recent_fld[0][1]
    • 5c5330e : Fix Bytes Consumed Issue
    • 2d98b43 : Check for Valid Frame Rate in Header
    • f4117e9 : Error Check for VLD Symbols Read
    • 0f49089 : Fixed out of bound read in flush_bits
    • d9c2855 : Fix for handling streams which resulted in negative num_mbs_left
    • 5d98623 : Fixed stack buffer overflow
    • 5173ff3 : Fix for handling streams which resulted in negative num_mbs_left
    • 27bbe74 : Fixed stack buffer overflow
    • 64b00fc : Revert "Fix for handling streams which resulted in negative num_mbs_left"
    • 7b7ff79 : Revert "Return error for wrong mb_type"
    • e5bd818 : Fix for handling streams which resulted in negative num_mbs_left
    • 78b1b25 : Fixed bit stream access to make sure that it is not read beyond the allocated size.
    • 48206d4 : Return error for wrong mb_type

  • platform/external/libnfc-nci with 2 change(s)
    • 8e60049 : Fix native crash in nfc_ncif_proc_activate
    • 85bb9b7 : Fix native crash in nfc_ncif_proc_activate

  • platform/external/libnl with 2 change(s)
    • 63da476 : Perform range check on len in nlmsg_reserve
    • 52f2923 : libnl: Check data length in nla_reserve / nla_put

  • platform/external/libopus with 1 change(s)
    • 744911a : Ensure that NLSF cannot be negative when computing a min distance between them

  • platform/external/libvpx with 3 change(s)
    • a88637b : Limit vpx decoder to 4K frames
    • 01b8a25 : vp8:fix threading issues
    • b3f304b : Fix ParseElementHeader to support 0 payload elements

  • platform/external/pdfium with 2 change(s)
    • 269ce88 : Backport 940100c28ae28931722290794889cf84a92c5f6f from libopenjpeg20
    • f749948 : Backport 734d57d5f7842aa7c2c9f36d62131ab4d8bd6c87 from libopenjpeg20

  • platform/external/sepolicy with 5 change(s)
    • f26c9ce : system_server: replace sys_resource with sys_ptrace
    • 6c69ebd : Allow the zygote to stat all files it opens.
    • 2839111 : expose control over unpriv perf access to shell
    • f919b98 : Further restrict socket ioctls available to apps
    • 8ad6f54 : Remove generic socket access from untrusted processes

  • platform/external/skia with 1 change(s)
    • 652f914 : Fix out of bounds memory read in GIFMovie.cpp

  • platform/external/sonivox with 9 change(s)
    • 9e9d4a2 : Fix infinite recursion
    • 34a012f : Check chunk size
    • 0d6d59d : Sonivox: sanity check headerLength in XMF_ReadNode.
    • a8ed52a : eas_mdls: fix OOB read.
    • 70fb061 : Fix NULL pointer dereference
    • c5843be : Sonivox: add SafetyNet log.
    • 6a21338 : Sonivox: sanity check numSamples.
    • 458e78b : Sonivox: add SafetyNet log.
    • ecf277c : Sonivox: sanity check numSamples.

  • platform/external/tremolo with 4 change(s)
    • f2ea3e3 : Always use unsigned char
    • db824a5 : Fix divide by zero for non-arm processor
    • 07e7103 : Tremolo: fix ARM assembly code for decode_map type 3 case
    • 45cff08 : Check partword is in range for # of partitions

  • platform/external/wpa_supplicant_8 with 5 change(s)
    • 02f71f3 : Guard against return value already being null
    • 9819ca5 : Remove newlines from config output
    • bf5fdbe : Guard against return value already being null
    • e960839 : Remove newlines from config output
    • 1f2be80 : WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use

  • platform/frameworks/av with 113 change(s)
    • b18a4dd : Fix memory leak in error case
    • fbed441 : Limit ogg packet size
    • 3b3e9c9 : Prevent OOB write in soft_avc encoder
    • bcb2f39 : Don't allow using or allocating a buffer after the first state transition
    • 9908b1f : Avoid crash for stss sync sample number 0
    • 456ec64 : Don't allow using or allocating a buffer after the first state transition
    • 432478a : CameraBase: Don't return an sp by reference
    • ca32aed : Fix overflow check and check read result
    • e660633 : resolve merge conflicts of 79cf158c51 to mnc-dev
    • e9ff002 : EffectBundle: check nb channels to write speaker angles
    • 12d8338 : avc_utils: skip empty NALs from malformed bistreams
    • eeaa0ea : avc_utils: skip empty NALs from malformed bistreams
    • 7d77479 : Don't initialize sync sample parameters until the end
    • c26aa7d : Don't CHECK when buffer is too large
    • d4b3c84 : Don't CHECK when buffer is too large
    • 87c3782 : Don't initialize sync sample parameters until the end
    • c069c93 : Fix security vulnerability: potential OOB write in audioserver
    • 71a018c : Effect: Use local cached data for Effect commit
    • 6ee0122 : IOMX: convert ANWB to Gralloc meta if using useBuffer in the same process
    • d620c30 : stagefright: remove allottedSize equality check in IOMX::useBuffer
    • 1cf41c9 : Visualizer: Check capture size and latency parameters
    • f9fab15 : Fix security vulnerability: Equalizer command might allow negative indexes
    • 697233c : Effects: Check get parameter command size
    • b84b0bb : Make VBRISeeker more robust
    • ba52ffa : Fix security vulnerability: Effect command might allow negative indexes
    • cc2295b : Fix potential NULL dereference in Visualizer effect
    • 4ca01e8 : stagefright: don't fail MediaCodec.configure if clients use store-meta key
    • f8c9768 : IOMX: do not clear buffer if it's allocated by component
    • f565f21 : IOMX: allow configuration after going to loaded state
    • ea35f2b : IOMX: restrict conversion of ANWB to gralloc source in emptyBuffer
    • c6c3a8f : SoundTrigger: get service by value.
    • 1610b32 : Radio: get service by value.
    • d4063c2 : SampleIterator: clear members on seekTo error
    • 2881e7c : IOMX: work against metadata buffer spoofing
    • abd5911 : Fix stack content leak vulnerability in mediaserver
    • 5ac546d : Fix potential overflow in Visualizer effect
    • 80ccca3 : Check mprotect result
    • 315fa40 : Limit mp4 atom size to something reasonable
    • c19aa43 : MediaPlayerService: allow next player to be NULL
    • dcb0b5e : Fix build break from SoftMPEG4Encoder.cpp
    • 6a39ef5 : Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d.
    • bd6b2c6 : better validation lengths of strings in ID3 tags
    • 50a2b17 : MediaPlayerService: avoid invalid static cast
    • 1e30fe9 : Add EFFECT_CMD_SET_PARAM parameter checking
    • 1f97582 : soundtrigger: add size check on sound model and recogntion data
    • f63712b : fix build
    • 12d962b : SoftVPX: fix nFilledLen overflow
    • be63207 : Fix build
    • 74cf8ee : Fix build
    • 2567d06 : SoftMP3: memset safely
    • 9985de1 : Add bound checks to utf16_to_utf8
    • ff44fd3 : Impose a size bound for dynamically allocated tables in stbl.
    • 4340643 : OMXCodec: check IMemory::pointer() before using allocation
    • 949d1a4 : omx: prevent input port enable/disable for software codecs
    • 04d6279 : Fix corruption via buffer overflow in mediaserver
    • 9ed8c0d : Check effect command reply size in AudioFlinger
    • 7c6da52 : Fix potential overflow
    • 4d81ef1 : SoftHEVC: Exit gracefully in case of decoder errors
    • 05ca24f : Don't use sp&
    • 2fbe092 : SoftAAC2: fix crash on all-zero adts buffer
    • bb3a033 : Resolve a merge issue between lmp and lmp-mr1+
    • 8ba1871 : Check malloc result to avoid NPD
    • 2e721f1 : MPEG4Extractor: ensure kKeyTrackID exists before creating an MPEG4Source as track.
    • 175afe6 : limit mediaserver memory
    • 182d114 : h264bsdActivateParamSets: Prevent multiplication overflow.
    • dfb6e0c : Fix security vulnerability in libstagefright
    • e6ec226 : Check section size when verifying CRC
    • de920e5 : Clear unused pointer field when sending across binder
    • 88507ea : Fix OMX_IndexParamConsumerUsageBits size check
    • f19ce2d : Fix size check for OMX_IndexParamConsumerUsageBits
    • 36e7312 : Fix initialization of AAC presentation struct
    • b06945b : codecs: check OMX buffer size before use in (h263|h264)dec
    • 7704606 : SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789.
    • 8e8e869 : resolve merge conflicts of 87695f6 to mnc-dev
    • 62cd6f7 : SampleTable.cpp: Prevent corrupted stts block from causing excessive memory allocation.
    • f597604 : AudioSource: initialize variables
    • 72b9a68 : codecs: check OMX buffer size before use in (gsm|g711)dec
    • 3779e17 : Check mp3 output buffer size
    • 17dbde0 : h264dec: check for overflows when calculating allocation size.
    • 8773562 : codecs: check OMX buffer size before use in VP8 encoder.
    • 564534f : Fix AMR decoder
    • 0c0cc87 : SoftAMR: check input buffer size to avoid overflow.
    • 244a481 : SoftAMR: check output buffer size to avoid overflow.
    • c3c093e : NuPlayerStreamListener: NULL and bounds check before memcpy
    • 6c72d19 : Camera3Device: Validate template ID
    • 53b8af3 : Add VPX output buffer size check
    • 84f7835 : Fix AMR decoder
    • bd5579c : codecs: check OMX buffer size before use in VP8 encoder.
    • dd6945d : Revert "codecs: check OMX buffer size before use in VP8 encoder." Revert for abandoned. This reverts commit f644869e3c4aee9650967368201790b72e236487.
    • 31ea2f0 : SoftAMR: check input buffer size to avoid overflow.
    • 354c30a : SoftAMR: check output buffer size to avoid overflow.
    • f644869 : codecs: check OMX buffer size before use in VP8 encoder.
    • 67297ff : NuPlayerStreamListener: NULL and bounds check before memcpy
    • 77d9324 : Camera3Device: Validate template ID
    • 617158e : Add VPX output buffer size check
    • 6ab905e : Get service by value instead of reference
    • 67d11e9 : Also fix out of bounds access for normal read
    • 20280c5 : Clear allocation to avoid info leak
    • b4ef484 : Fixing safteynet logging bug introduced in ag/862848
    • 8d87321 : 3 uninitialized variables in IOMX.cpp
    • 5a856f2 : Fix info leak vulnerability of IDrm
    • 79b7347 : IOMX.cpp uninitialized pointer in BnOMX::onTransact
    • ebb4bd1 : Meger conflict--Fixing safteynet logging bug introduced in ag/862848
    • f5e3b64 : Also fix out of bounds access for normal read
    • 7a5feaa : Get service by value instead of reference
    • bbbeaed : Fix info leak vulnerability of IDrm
    • 4d8bcd8 : 3 uninitialized variables in IOMX.cpp
    • 0c09f98 : IOMX.cpp uninitialized pointer in BnOMX::onTransact
    • 5e64327 : Clear allocation to avoid info leak
    • 4589fe7 : Camera: Disallow dumping clients directly
    • 72f3975 : fix possible overflow in effect wrappers.
    • 0cb399d : Fix out-of-bounds write
    • 29a2cd3 : libstagefright: check requested memory size before allocation for SoftMPEG4Encoder and SoftVPXEncoder.

  • platform/frameworks/base with 44 change(s)
    • fb07b46 : ZygoteInit: Remove CAP_SYS_RESOURCE
    • bf5b43c : system_server: add CAP_SYS_PTRACE
    • 0fd509c : Make a11y node info parceling more robust
    • 804cbf6 : Fixed the logic for tethering provisioning re-evaluation
    • 5549a1f : Fix exploit where can hide the fact that a location was mocked am: a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344 am: d28eef0cc2
    • 8c1294a : Add @GuardedBy annotation to PersistentDataBlockService#mIsWritable.
    • 2815705 : Prevent writing to FRP partition during factory reset.
    • 7cc6259 : Add @GuardedBy annotation to PersistentDataBlockService#mIsWritable.
    • 49ae4d6 : Prevent writing to FRP partition during factory reset.
    • 5e017ef : Fix exploit where can hide the fact that a location was mocked am: a206a0f17e am: d417e54872 am: 3380a77516
    • 185ad42 : Zygote: Additional whitelisting for legacy devices.
    • 6b1fa5b : Zygote: Additional whitelists for runtime overlay / other static resources.
    • 949b060 : Zygote : Block SIGCHLD during fork.
    • 39e9323 : Fix idmap leak in zygote process
    • c6335a8 : Public volumes belong to a single user.
    • 8dd6b2f : resolve merge conflicts of 89aa6fb to mnc-dr-dev
    • a2c5d68 : Use "all_downloads" instead of "my_downloads".
    • dbb4fb4 : Fix build break due to automerge of 7d2198b5
    • f6ff0ac : Avoid crashing when downloading MitM'd PAC that is too big am: 7d2198b586 am: 9c1cb7a273 am: 6634e90ad7 am: 66ee2296a9
    • 5cc1157 : Fix setPairingConfirmation permissions issue (2/2)
    • cf053b5 : Ensure munmap matches mmap
    • c2c6bed : Backport changes to whitelist sockets opened by the zygote.
    • 3cbab7a : Fix vulnerability in LockSettings service
    • 4c8cead : Process: Fix communication with zygote.
    • 021c709 : Fix string equality comparison
    • a99e83d : WifiEnterpriseConfiguration: Do not print credentials in toString
    • a6c819a : Add bound checks to utf16_to_utf8
    • 0ba84ba : Check caller's uid before allowing notification policy access.
    • f7f3b5d : Add pm operation to set user restrictions.
    • 163728a : Reduce shell power over user management.
    • b83baa6 : Don't trust callers to supply app info to bindBackupAgent()
    • 0568b17 : Backport of backup transport whitelist
    • ac2d4d1 : Fix missing permission check when saving pattern/password
    • c8352fa : Backport ChooserTarget package source check from N
    • 5c3aba2 : Don't pass URL path and username/password to PAC scripts
    • 679c381 : resolve merge conflicts of 44e07e0 to mnc-dev
    • 1408899 : Kill the real/isolated uid group, not the ApplicationInfo uid
    • 5d799cd : Add new, hidden MotionEvent flag for partially obscured windows.
    • c5a0fca : Redact Account info from getCurrentSyncs
    • 2b05a69 : Conflict resolution CL to ag/868720 when cp'ing to mnc-mr1-release
    • a9e5fa7 : NPE fix for SyncStorageEngine read authority am: a962d9eba7 am: 339c4f2b05 am: 58048c1f17
    • 5566381 : Redact Account info from getCurrentSyncs
    • ea9cca7 : Check permissions on getDeviceId.
    • 157fde1 : Don't allow contact sharing by default for device not recognized as carkit.

  • platform/frameworks/ex with 4 change(s)
    • 98a3c5f : Handle small sized webps correctly
    • 6da377d : Handle small sized webps correctly
    • 2df264d : resolve merge conflicts of 3802db4 to mnc-dev
    • 62f48db : Handle color bounds correctly in GIF decode.

  • platform/frameworks/minikin with 4 change(s)
    • f10ea6d : Add error logging on invalid cmap
    • 1880cd8 : Reject fonts with invalid ranges in cmap
    • 87713aa : Reject fonts with invalid ranges in cmap
    • 0571164 : Avoid integer overflows in parsing fonts

  • platform/frameworks/native with 26 change(s)
    • 2aa91b3 : libgui: check for invalid slot in attachBuffer
    • a6381e3 : libgui: Check slot received from IGBP in Surface
    • 33d1119 : ui: Fix bad size check in Fence::unflatten
    • 088c16b : Fix security vulnerability
    • 862a018 : Correct overflow check in Parcel resize code
    • f607913 : Fix SF security vulnerability: 32706020
    • a9b6ac9 : Fix SF security vulnerability: 32660278
    • 48757ad : ServiceManager: Allow system services running as secondary users to add services
    • 5d81055 : ServiceManager: Restore basic uid check
    • 188f114 : Region: Detect malicious overflow in unflatten
    • 98e433e : Add FrameStats default constructor
    • 9248e07 : Correctly handle dup() failure in Parcel::readNativeHandle
    • 42db615 : Add new MotionEvent flag for partially obscured windows.
    • b0a3ac5 : Fix issue #27252896: Security Vulnerability -- weak binder
    • df3f527 : BQ: fix some uninitialized variables
    • e7ef5b6 : Fix issue #27252896: Security Vulnerability -- weak binder
    • 4cf908a : BQ: fix some uninitialized variables
    • 638ac77 : Add SN logging
    • c9d518e : Sanity check IMemory access versus underlying mmap
    • 43316b3 : BQ: Add permission check to BufferQueueConsumer::dump
    • 54fb75b : Sanity check IMemory access versus underlying mmap
    • 40a41c7 : Revert "Sanity check IMemory access versus underlying mmap" because the CL got abandoned This reverts commit d4e6bf1413f4d259965ed595f396babdea97de29.
    • 2a73b63 : BQ: Add permission check to BufferQueueConsumer::dump
    • d4e6bf1 : Sanity check IMemory access versus underlying mmap
    • 2c25415 : IGraphicBufferProducer: fix QUEUE_BUFFER info leak
    • 05d6a7e : IGraphicBufferConsumer: fix ATTACH_BUFFER info leak

  • platform/frameworks/opt/net/wifi with 9 change(s)
    • d4cd5c5 : configparse: do not delete passpoint configuration file
    • 1e9fed3 : configparse: do not delete passpoint configuration file
    • 9323999 : resolve merge conflicts of 849c5c7 to mnc-dev
    • b1fe81c : wifinative jni: check array length to prevent stack overflow
    • 59229c0 : Revert "Fix Runtime Restart caused by ag/1370419"
    • 2a9c887 : Fix Runtime Restart caused by ag/1370419
    • f65e556 : ANQPFactory: catch all potential parsing errors
    • 7968227 : VenueNameElement: fix off-by-one enum bounds check
    • f0f4f2f : Deal correctly with short strings

  • platform/frameworks/opt/telephony with 3 change(s)
    • d215127 : Do not allow premium SMS during SuW
    • 8356958 : backport security fix: avoid set NITZ time to 2038
    • 7eb9d5a : Check permissions on getDeviceId.

  • platform/hardware/broadcom/wlan with 1 change(s)
    • 8a8ccb0 : Fix use-after-free in wifi_cleanup()

  • platform/hardware/libhardware with 2 change(s)
    • 2334111 : Fix security vulnerability: potential OOB write in audioserver
    • 083e193 : Add guest mode functionality (1/3)

  • platform/hardware/qcom/audio with 6 change(s)
    • 97861f3 : Fix security vulnerability: Equalizer command might allow negative indexes
    • a7d44c1 : Fix security vulnerability: Effect command might allow negative indexes
    • b0a265e : Fix potential NULL dereference in Visualizer effect
    • 8fb71b9 : Fix potential overflow in Visualizer effect
    • 012de35 : post proc : volume listener : fix effect release crash
    • 0adea37 : post proc : volume listener : fix effect release crash

  • platform/hardware/qcom/media with 1 change(s)
    • b23b392 : mm-video-v4l2: vdec: Disallow input usebuffer for secure case

  • platform/hardware/ril with 1 change(s)
    • e44a748 : Replace variable-length arrays on stack with malloc.

  • platform/libcore with 4 change(s)
    • cdc5ccc : FtpURLConnection: Throw on invalid characters in commands.
    • 16ff477 : CipherTest: in ASN1 encoding for GCM, no value for tag size means 12
    • 50e16e8 : GCMParameters: check that the default tag size is secure (16 bits)
    • 7315a10 : GCMParameters: check that the default tag size is secure (16 bits)

  • platform/packages/apps/Bluetooth with 5 change(s)
    • cc12f3b : OPP: Restrict file based URI access to external storage
    • 806a57a : Prevent OPP from opening files that aren't sent over Bluetooth
    • 3b99f4c : Remove MANAGE_DOCUMENTS permission as it isn't needed
    • bc2927c : Fix setPairingConfirmation permissions issue (1/2)
    • 35b0b46 : Add guest mode functionality (3/3)

  • platform/packages/apps/CertInstaller with 4 change(s)
    • 62a9f0b : WifiInstaller: remove the installation file
    • 97ca257 : WifiInstaller: remove the installation file
    • a47158e : Trust CA certificates added for the whole OS only
    • f34cd68 : Trust CA certificates added for the whole OS only

  • platform/packages/apps/ContactsCommon with 1 change(s)
    • b54016a : resolve merge conflicts of e20a370 to mnc-dev

  • platform/packages/apps/Email with 4 change(s)
    • 2859e34 : Limit account id and id to longs
    • 8cd5b40 : stop exporting EmailAccountCacheProvider
    • dac07ba : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.
    • 21eb7f9 : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.

  • platform/packages/apps/Messaging with 7 change(s)
    • 09c15f3 : 32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap-Colors[colorIndex]
    • 6fbc1c5 : 33388925 Mismatched new vs delete in framesequence library
    • ac65cc4 : 33388925 Mismatched new vs delete in framesequence library
    • 89d7a3e : 32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap-Colors[colorIndex]
    • ba16cee : 32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app.
    • 43f6f5c : 32322450 Security Vulnerability - heap buffer overflow in libgiftranscode.so
    • be0789e : 32161610 Security Vulnerability - Information disclosure vulnerability in AOSP Messaging

  • platform/packages/apps/Nfc with 2 change(s)
    • 0000967 : Allow system_server access to NFC reader mode API.
    • be0e21a : Verify setForegroundDispatch caller is in foreground.

  • platform/packages/apps/PackageInstaller with 3 change(s)
    • fc3ebea : Fix mismatched tag
    • 550a4e6 : Prioritize package installer intent filter
    • 0193872 : Prioritize package installer intent filter

  • platform/packages/apps/Settings with 4 change(s)
    • 97d1f86 : Add permission check to Intents used by Authenticator Settings.
    • be1af14 : Preserve FRP lock if wiped during SUW
    • 5de26d8 : Block developer settings during SUW
    • edcf785 : Uncheck checkbox for contact sharing by default for non carkit devices.

  • platform/packages/apps/UnifiedEmail with 5 change(s)
    • cb8e81d : Don't allow file attachment from /data through GET_CONTENT.
    • 15da6d5 : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.
    • 3284023 : Don't allow cachedFile Attachments if the content Uri is pointing to EmailProvider.
    • 5c1a64f : Don't allow file attachment from file:///data.
    • 4f3c7fc : Don't allow file attachment from file:///data.

  • platform/packages/providers/DownloadProvider with 7 change(s)
    • 1a49568 : Deleting downloads for removed uids on downloadprovider start
    • 5952f2f : Enforce calling identity before clearing.
    • c2d6864 : Revert "Enforce calling identity before clearing."
    • 0e6b409 : Enforce calling identity before clearing.
    • a8bc340 : Use resolved path for both checking and opening.
    • e7689fd : Revert "Use resolved path for both checking and opening."
    • a973562 : Use resolved path for both checking and opening.

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • 9c76905 : 30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid

  • platform/packages/services/Telephony with 7 change(s)
    • db73083 : Added permission check for setCellInfoListRate
    • fc2d51e : Catch SIP exceptions which can crash Phone process on answer.
    • c43cb40 : Unexport OmtpMessageReceiver
    • 5600914 : Restrict SipProfiles to profiles directory
    • 981ebe0 : Make TTY broadcasts protected
    • 4213bf6 : Fixes creation of incorrect SIP PhoneAccountHandle
    • faf23da : Fixes creation of incorrect SIP PhoneAccountHandle

  • platform/system/bt with 4 change(s)
    • 449ad52 : Check LE advertising data length before caching advertising records
    • b53af3a : Add guest mode functionality (2/3)
    • 196e799 : btif: Don't persist remote devices to the config
    • 4aa205e : Fix crashes with lots of discovered LE devices

  • platform/system/core with 18 change(s)
    • f011398 : Fix out of bound read in libziparchive
    • 2764245 : Fix out of bound access in libziparchive
    • 9034bfa : liblog: add __android_log_close()
    • fdcc4f2 : liblog: add __android_log_close()
    • 7f65b0b : Fix vold vulnerability in FrameworkListener
    • 3a51203 : debuggerd: fix missed use of ptrace(PTRACE_ATTACH).
    • a563e47 : adb: use asocket's close function when closing.
    • 097b7ea : adb: switch the socket list mutex to a recursive_mutex.
    • 3cc51fb : libutils/Unicode.cpp: Correct length computation and add checks for utf16-utf8
    • 00fd62a : add a property for controlling perf_event_paranoid
    • 47f2a16 : Fix scanf %s in lsof.
    • e2bc618 : Fix overflow in path building
    • 2ce28bf : Don't demangle symbol names.
    • 80088cf : Don't demangle symbol names.
    • 78aa538 : Don't create tombstone directory.
    • 442a604 : Don't create tombstone directory.
    • 8ccc65e : Fix incorrect check of descsz value.
    • a9e5d12 : Add macro to call event logger for errors.

  • platform/system/media with 7 change(s)
    • 5e1ddf1 : Fix potential overflow in Visualizer effect
    • d39f805 : Camera metadata: Check for inconsistent data count
    • 45c0ad1 : Revert "Camera metadata: Check for inconsistent data count"
    • 5b7000b : Camera metadata: Check for inconsistent data count
    • 0d38bd8 : Revert "Camera metadata: Check for inconsistent data count"
    • d8ebb62 : Camera metadata: Check for inconsistent data count
    • 61ba45c : Camera: Prevent data size overflow