Android Nougat AOSP Changes

Changes from 7.0.0_r33 (NBD92G) to 7.0.0_r34 (NBD92N):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (26):

  • device/google/dragon with 1 change(s)
    • f402965 : Fix audio record pre-processing

  • platform/bionic with 1 change(s)
    • f1fe99f : linker: remove link from external library on unload

  • platform/build with 7 change(s)
    • 5eddfa3 : Update bugfix security string to October (cherry picked from commit ba16193f1e503e26381f81ff7d95820b75bb2247)
    • 669a337 : Update Security String to September for Bugfix (cherry picked from commit d932d49b64fcc794dfd112694dade745eb345363)
    • 41b186c : Version bump to NBD92L
    • 8439b07 : Version bump to NBD92K
    • 28a1c78 : Version bump to NBD92J
    • 1eef05a : NBD92I
    • 69ba3ea : NBD92H

  • platform/external/boringssl with 2 change(s)
    • c8b5fe9 : CVE 2016-2109 fix
    • f984795 : Always use Fermat's Little Theorem in ecdsa_sign_setup.

  • platform/external/dng_sdk with 1 change(s)
    • dd092c6 : Throw exception on integer overflow in dng_ifd.cpp.

  • platform/external/dnsmasq with 2 change(s)
    • 6dc950b : Add extra (size_t) cast to avoid compiler warning.
    • a10cd37 : Make dnsmasq more stable.

  • platform/external/libavc with 21 change(s)
    • 977ff4a : Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.
    • 8a96e64 : Decoder: Fixed overflow in refernce list creation.
    • 93d9884 : Initialize DPB structures to valid values.
    • acf845b : Added error check for output buffer size.
    • d6858ba : Fixed hang in the case of multiple sps id.
    • 327f93c : Decoder: Fix in the case of MMCO 6
    • 2d3c734 : Decoder: Cleaned up parse sps function.
    • 4e2860c : Initializing reference list for every P/B slice.
    • 445d57c : Fix resolution change within a decode call.
    • 15827be : Decoder: Fixed allocation size of pred info buffer
    • c46d83a : Decoder: Fix end of bitstream error.
    • 2285974 : Decoder: Fix allocation for Mbaff weight matrix
    • 4c1ac1e : Decoder: Initialize MB info buffer to zero.
    • 4d50188 : Decoder: Fixed flag u1_top_bottom_decoded.
    • 823e2bd : Decoder: Added an error check while parsing PPS.
    • 8503745 : Fix stack buffer overflow in ih264d_process_intra_mb
    • ac64724 : Decoder: Fix in reference list initialization.
    • 205985d : Decoder: Fixes in accessing mbaff flag in error cases
    • 0741a41 : Fix in the case of MMCO 3 (long term reference idx).
    • 525dbf3 : Decoder: Fixed error handling for dangling fields
    • 5b50bdf : Decoder: Fixed number of MB calculation for interlaced error streams

  • platform/external/libhevc with 20 change(s)
    • 49ca3ef : Fix slice decrement for skipped slices
    • 617405b : Ensure CTB size 16 for clips with tiles and width/height = 4096
    • 3df8b4b : Limit boundary PU sizes in case of errors
    • 5e85dfa : Fix array size for hrd parameters
    • 98251e8 : Check number of output buffers and sizes
    • 42d7aa1 : Return error for invalid crop parameters
    • 2107c44 : Fix OOB issue in nal unit parsing
    • dacf9ba : Set pic_present at end of pic_init instead of beginning
    • bb2912a : Handle error return in parse slice
    • ca32a90 : Fix heap buffer overflow while searching for valid PPS
    • 55ffcfb : Check for buffer overflow in pps/slice header parsing
    • 6076ba9 : memset SPS to zero
    • 7e6466e : Fix reallocation for new sps
    • 2bf2985 : Check for cpb cnt in hrd parsing
    • 83e8832 : Correct Tiles rows and cols check
    • 7b1cf7f : Check only allocated mv bufs for releasing from reference
    • 8d9bad9 : Set current slice ctb x and y to fill prev incomplete slice
    • 14efc6a : Handle error return from ref list in slice hdr parsing
    • 4bc0adc : Return error from cabac init if offset is greater than range
    • d3690f9 : Return error if SPS parsing reads more bytes than the nal length

  • platform/external/libmpeg2 with 9 change(s)
    • b8e04c0 : Fixed Memory Overflow Errors
    • 93af4ef : Correcting NumCoeff Check in VLD
    • 4d991ba : Adding Error Check For PictureStructure Param
    • 62bd739 : Update mbs_left In Case Of Missing Slice
    • 8c0efb8 : Check For Zero Width/Height in Frame Header
    • 1c38adb : Check Number of Skip MBs
    • ec659d9 : Error Resilience - Check on as_recent_fld[0][1]
    • bde91fa : Fix Bytes Consumed Issue
    • f087f52 : Fix in handling header decode errors

  • platform/external/libvpx with 1 change(s)
    • 5fdc527 : Limit vpx decoder to 4K frames

  • platform/external/libxml2 with 1 change(s)
    • 7b6c139 : Update libxml2 to 2.9.4 by merging e3d78e1f into nyc-dev.

  • platform/external/sonivox with 3 change(s)

  • platform/external/tremolo with 3 change(s)
    • f1636bd : Fix out of bounds access in codebook processing
    • a2a2366 : Use heap instead of alloca in res012.c
    • 3f82609 : Always use unsigned char

  • platform/frameworks/av with 40 change(s)
    • 86bdce8 : Fix 'potential memory leak' compiler warning.
    • 5958ede : Check buffer size in useBuffer in software components
    • d3daa54 : stagefright: avoid buffer overflow in base64 decoder
    • c72ab9c : Add EFFECT_CMD_SET_PARAM parameter checking to Downmix and Reverb
    • a4cb749 : Fix memory leak in OggExtractor
    • 7668983 : Skip track if verification fails
    • 283b936 : MPEG4Source: fix fragmented read.
    • b9d24e9 : stagefright: fix crash due to bad timestamp index
    • aef5439 : stagefright: check aac_frame_length to prevent infinite loop
    • 32ef996 : MediaPlayerService: fix access of mPlayer in client
    • e5ae829 : MPEG4Extractor: ensure returned status is checked.
    • d5f9832 : audio effects: filter reserved effect commands
    • 142c37a : Change MPEG2 reinit Error Handling
    • 9e8522e : Track: Check buffer size of static tracks
    • bbee74e : MPEG4Extractor: check size for yrrc box
    • 7cee9d0 : AudioFlinger: Fix memory allocation for client-less tracks
    • 562b4c9 : Notify Errors Appropriately from SoftMPEG2
    • 679e579 : EffectBundle: Check value size for get preset name
    • 81482a9 : Fix TOCTOU problem in libstagefright_soft_aacenc
    • e3c3c21 : Fix security vulnerability: Equalizer setParameter memory overflow
    • e9f8be0 : Check the buffer index from acquireBuffer
    • ece623c : better manage buffer for libstagefright_soft_mpeg4enc
    • a6fe507 : m4v_h263: update width/height only when they are valid.
    • 1097a23 : m4v_h263: check header first before decoding a frame.
    • efca80c : Fix integer overflow in mediadrmserver
    • 85559d6 : Fix potential leak
    • 7406a44 : Modifying MetaData invalidates previous char*
    • b2184a0 : Fix memory leak in error case
    • edc20fc : Limit ogg packet size
    • 7a65563 : Prevent OOB write in soft_avc encoder
    • 07d0c6c : Avoid crash for stss sync sample number 0
    • 7b34dc4 : Don't allow using or allocating a buffer after the first state transition
    • e570b59 : FLACExtractor: copy protect mWriteBuffer
    • 9d71510 : Add bounds check in SoftAACEncoder2::onQueueFilled()
    • 954e3d6 : Fix integer overflow and divide-by-zero
    • 6183f7c : Fix NPDs in h263 decoder
    • a75badb : Fix out of bounds access
    • 3468e22 : Validate lengths in HEVC metadata parsing
    • d6e03aa : AudioFlinger: Check framecount overflow when creating track
    • 3102b04 : codecs: handle onReset() for a few encoders

  • platform/frameworks/base with 8 change(s)
    • bc1550f : Fix security hole in GateKeeperResponse.
    • 4f60062 : Enforce policy for camera gesture in keyguard
    • 73cd152 : Back-port fixes for b/62196835
    • 381fd75 : Close connection before retrying
    • ad44210 : ZygoteInit: Remove CAP_SYS_RESOURCE
    • 89df367 : system_server: add CAP_SYS_PTRACE
    • 510f016 : Make a11y node info parceling more robust
    • b351be2 : Protect Bluetooth OPP ACCEPT and DECLINE broadcast

  • platform/frameworks/native with 4 change(s)
    • 2b89987 : fix race condition that can cause a use after free
    • d6e9c1c : libgui: check for invalid slot in attachBuffer
    • 089c769 : libgui: Check slot received from IGBP in Surface
    • 67ecf36 : ui: Fix bad size check in Fence::unflatten

  • platform/frameworks/opt/net/wifi with 1 change(s)
    • 7a59ee6 : cherry-pick: wifinative jni: check array length for trackSignificantWifiChange

  • platform/hardware/qcom/audio with 2 change(s)
    • a3a3d03 : Equalizer: Check value size for get preset name
    • 80d16f5 : Fix security vulnerability: Equalizer setParameter memory overflow

  • platform/libcore with 6 change(s)
    • c5dcd1c : Fix failing FileTest#test_canonicalCachesAreOff()
    • cf4b69f : Disable File.getCanonicalPath caches.
    • 4739bee : Proper fix for rejecting ftp URL with /r/n.
    • 4d6e231 : Revert "Reject ftp URLConnection containing /r/n in user info."
    • a199e2f : Reject ftp URLConnection containing /r/n in user info.
    • 7925afa : Test for rejection of ftp URL with /r/n in userinfo

  • platform/packages/apps/Bluetooth with 2 change(s)
    • f3f1d92 : Prevent OPP from opening files that aren't sent over Bluetooth
    • 8066e11 : OPP: Restrict file based URI access to external storage

  • platform/packages/apps/Messaging with 1 change(s)
    • 9f73c36 : 37742976 - Catch bad gifs

  • platform/packages/apps/Nfc with 1 change(s)
    • 630104d : Add READ_EXTERNAL_STORAGE for file based Uri while beaming.

  • platform/packages/apps/Settings with 3 change(s)
    • 8e5cf7c : Disabling the activate button when paused
    • 3a692f7 : Back-port ag/2491664
    • 6f94ffe : resolve merge conflicts of 3964c51bf2 to nyc-dev

  • platform/system/bt with 9 change(s)
    • ff8dff1 : Add missing extension length check while parsing BNEP control packets
    • 98dfa3e : Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
    • fc30889 : Add a missing check for PAN buffer size before copying data
    • ea3343a : Add missing packet length checks while parsing BNEP control packets
    • e083259 : Add missing continuation offset check for SDP continuation requests
    • d4d3424 : Disable PAN Reverse Tethering when connection originated by the Remote
    • a85851a : Allocate buffers of the right size when BT_HDR is included
    • 11cd452 : Check LE advertising data length before caching advertising records
    • 03d04ea : resolve merge conflicts of a3ee2e35 to nyc-dev

  • platform/system/core with 1 change(s)
    • efe5966 : Fix out of bound read in libziparchive

  • platform/system/sepolicy with 1 change(s)
    • 8d6c9ab : system_server: replace sys_resource with sys_ptrace