Android Nougat AOSP Changes

Changes from 7.0.0_r35 (NBD92Q) to 7.0.0_r36 (NBD92Y):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (1):

Updated Components (43):

  • platform/build with 8 change(s)
    • 2910002 : Update NYC-Bugfix security string to Mar 2019 for AOSP pushwq (cherry picked from commit f19ec381f226709bd2a3c0e66006d14ef1bd2f04)
    • 81cc877 : Version bump to NBD92X
    • a99dca1 : Version bump to NBD92W
    • 9d9de05 : Update Security String to April on Bugfix Release (cherry picked from commit bc87e290d4b39603217780e48c26e9e1cfb9be4b)
    • 5928372 : Specify --max_timestamp when calling brillo_update_payload.
    • 2f8b013 : Update Bugfix release to March patch string (cherry picked from commit 6fd802e7eb576913a70f1b0af7466d9fe6da6f85)
    • e4a9a07 : Update Security String for bugfix relese to February (cherry picked from commit 2fd44e18884fe30a18f67a4a1ceb8f5a14d0d6ab)
    • c05e5af : Update bugfix release to Jan 1 (cherry picked from commit 633d9a764893daf70c54ac9a7c827d1408426762)

  • platform/external/aac with 1 change(s)
    • e03b8da : Fix out of bound memory access in lppTransposer

  • platform/external/bouncycastle with 1 change(s)
    • 4c54bc8 : Fix probable prime confidence calculations.

  • platform/external/chromium-libpac with 1 change(s)
    • 8ec77bf : Test for error in handling getters changing element kind.

  • platform/external/curl with 1 change(s)
    • a26e176 : Disable unused protocols.

  • platform/external/e2fsprogs with 1 change(s)
    • 45228bf : Ignore quotes in safe_print().

  • platform/external/libavc with 13 change(s)
    • 9e8c29c : decoder: Signal IVD_RES_CHANGED error for change in crop params
    • e5137e5 : Bug fix for flush without valid frames
    • c65b863 : Encoder: Return error for odd resolution
    • 5c82974 : Decoder: Modify setting short term reference field flag
    • 4dbe6a9 : Decoder: Fixed reset values in parse sps.
    • 3983789 : Decoder: Set prev slice type for I slice.
    • fedc3e8 : Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.
    • fda04e6 : Decoder: Fixed memory overflow in shared display mode.
    • 1471910 : Decoder: Modified loop condition while parsing ref_list_reordering.
    • f10d139 : Decoder: Handle dec_hdl memory allocation failure gracefully
    • ea88b55 : Decoder: Fixed incorrect use of mmco parameters.
    • 6844797 : Decoder: Increased allocation and added checks in sei parsing.
    • 00d938f : Decoder: Detect change of mbaff flag in SPS

  • platform/external/libhevc with 19 change(s)
    • d80f82f : Decoder: Signal IVD_RES_CHANGED error for change in crop params
    • 9cbeaa5 : Add limits check for the CTB position in a frame
    • 9350e2e : Return error for invalid st/lt sps parameters
    • fd4761a : Return error for invalid sps sub layers parameters
    • 8073400 : Add limits check for depth hierarchy sps parameters
    • 74f52a4 : Return error for invalid reorder parameter
    • d96bbea : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • a2471ee : Fix output buffer size check
    • cc584d2 : Check if luma wd and ht are multiple of min cb size
    • bff2659 : Update ctb pu map for I slice
    • 5f82496 : Add PUSH-POP of D registers in Arm Neon 32 bit functions
    • 9095dbf : Fixed few issues in SAO arm assemblies
    • e9204e6 : Fix first frame error return
    • ed221c3 : Return error for negative crop parameters
    • 3ffb952 : Fix slice address zero for not first slice in pic
    • d0eaf4e : Decoder: Handle ps_codec_obj memory allocation failure gracefully
    • 39c9684 : Fix prev slice incomplete check
    • fb66df4 : Fix incomplete frame error
    • 7f43ddc : Set error skip ctbs as multiple 8x8 pus

  • platform/external/libmpeg2 with 8 change(s)
    • dfbea69 : Adding check for min_width and min_height
    • a07e4d3 : Handle Unsupported Dimensions in Test App
    • 93511c1 : Adding Check For Number of Skip MBs
    • b9f30d0 : Adding Internal Input Buffer
    • 9416ba6 : Adding Error Check for Output Buffer Size
    • ac42474 : Correcting Buffer Allocation for Shared Display
    • 1fb0e67 : Fixing Underflow of ps_dec-u2_num_mbs_left
    • eea4ef6 : Adding Error Check for f_code Parameters

  • platform/external/libnfc-nci with 16 change(s)
    • 1f83f1e : Prevent integer underflow in rw_t2t_handle_tlv_detect_rsp()
    • 225cfb4 : Prevent Out of bounds read in ce_t4t.cc
    • a475dc6 : Prevent Out of bounds write in rw_t3t_handle_get_sc_poll_rsp()
    • c955b35 : Prevent OOB read in rw_t3t_act_handle_ndef_detect_rsp()
    • b2687f9 : Fix heap overflow in NFA_SendRawFrame()
    • ea52f7b : Prevent Integer Overflow in rw_t3t_act_handle_check_rsp()
    • 247b71d : Prevent OOB read in rw_t3t_update_block()
    • 256fe8d : Fix CVE
    • 6436dc1 : Prevent Out of bound error in phNxpNciHal_process_ext_rsp
    • 98a5e36 : Prevent Out of bound error in llcp_dlc_proc_rr_rnr_pdu()
    • 2fde356 : Prevent OOB error in nfc_ncif_proc_get_routing()
    • a48f8a0 : Prevent Out of bounds read/write in nfc_ncif_set_config_status
    • f986e6e : Improve AGF PDU integrity check to prevent OOB error
    • 0780764 : Prevent Out of bounds read in llcp_dlc
    • ae16e3e : Prevent Out of bounds read in llcp_util
    • 422ff6e : Prevent OOB error for T2T read/writes

  • platform/external/libvpx with 1 change(s)
    • 4ab6755 : libwebm: Cherrypick 5a41830 from upstream

  • platform/external/libxml2 with 1 change(s)
    • f6172a3 : RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

  • platform/external/neven with 1 change(s)
    • d863373 : Make bound check proper in bbf_Scanner_addOutPos

  • platform/external/skia with 3 change(s)
    • 9024833 : RESTRICT AUTOMERGE: Fix heap buffer overflow
    • 7cc3e73 : RESTRICT AUTOMERGE: Add SkAndroidFrameworkUtils::SafetyNetLog
    • acee705 : RESTRICT AUTOMERGE: Cherry-pick "begin cleanup of malloc porting layer"

  • platform/external/sonivox with 5 change(s)
    • 9e5ffa4 : sonivox: prevent rejection of good but large MIDI files
    • c3bec76 : sonivox: prevent infinite loop in OTA ringtones
    • 8a2b078 : sonivox: fix hang caused by bad meta-event
    • a55982d : Add recursion limit to XMF_ReadNode
    • 84257b1 : Fix memory leak

  • platform/external/sqlite with 1 change(s)
    • 28e2886 : RESTRICT AUTOMERGE: Apply security patch to sqlite 3.9.

  • platform/external/svox with 1 change(s)
    • 4e12a05 : SVOX: Properly initialize buffers.

  • platform/external/tremolo with 1 change(s)
    • c639d3e : Fix OOB access in Tremolo

  • platform/external/wpa_supplicant_8 with 2 change(s)
    • 715f661 : Use BoringSSL to get random bytes
    • 7f573a7 : WNM: Fix WNM-Sleep Mode Request bounds checking

  • platform/frameworks/av with 29 change(s)
    • f4b9db7 : CTS error while media dump()
    • 911440b : MediaExtractor: stop rendering when an error occurs
    • 56eb678 : Check for overflow of crypto size
    • e4e6360 : M3UParser: handle missing EXT-X-MEDIA URIs
    • df3352f : Fix possible out of bounds read
    • 2f76f03 : M3UParser: make url on demand
    • 813fa3e : Speed up id3v2 unsynchronization
    • 2a1a1ff : Sanitize effect descriptors for AudioPolicyService binder calls.
    • eb89cff : Add check preventing div0 issue
    • 0f86842 : Init gain config to prevent uninit leak.
    • 36ede01 : better mpeg2 TS elementary stream Access Unit parsing
    • 2841ad5 : Handle bad bitrate index in mp3dec.
    • 7cf23ab : RESTRICT AUTOMERGE Prevent MediaPlayerService::Client's use-after-free
    • edd7a5b : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • bad3b1e : Check NAL size before looking inside
    • cf0e032 : AACExtractor: check bounds during seek
    • 035c745 : Apply input buffer validation also to AVC and MPEG4 encoders
    • d6b115b : httplive: check for malformed EXT-X-STREAM-INF
    • 0958660 : Soundtrigger service: fix status reporting in loadSoundModel
    • dce98ca : IAudioPolicyService: Add attribute tags sanitization
    • fdf603e : stagefright: MP4Extractor: allow 10% overhead on default sample size
    • 920a57f : Access AVCDEC context after create fail check
    • b1ea3e5 : Access HEVC context after create fail check
    • 633d780 : Fix the UAF bug caused by a dead stack variable
    • 5d041ac : SoftAVCDec: Handle zero length input without EOS
    • 38c3fdf : Add EFFECT_CMD_SET_PARAM parameter checking to Preset Reverb
    • d5e0f12 : Fix edge case when applying id3 unsynchronization
    • c71feda : Validate decryption key length to decrypt function.
    • 0f9dd0d : RESTRICT AUTOMERGE Protect against possible race conditions

  • platform/frameworks/base with 28 change(s)
    • 2b2fbe3 : Select only preinstalled Spell Checker Services
    • 82fe5e7 : RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
    • b023869 : RESTRICT AUTOMERGE: Recover shady content:// paths.
    • aa6236c : Verify number of Map entries written to Parcel
    • 545cc75 : Hide overlay windows when requesting media projection permission.
    • ed996ed : Fix crash during cursor moving on BiDi text
    • 5678a81 : RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package.
    • 680ea9c : Fix TrackInfo parcel write
    • 304a28a : Resolve inconsistent parcel read in NanoAppFilter
    • 7d4d423 : Fix DynamicRefTable::load security bug
    • a0c74b5 : ResStringPool: Prevenet boot loop from se fix
    • 97e18c8 : Optimise the hit test algorithm
    • 4823522 : Make safe label more safe
    • 0f0a207 : clearCallingIdentity before calling into getPackageUidAsUser
    • 1252702 : Nullcheck to fix Autofill CTS
    • 783b2ef : ResStringPool: Fix security vulnerability
    • a186f74 : RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to nyc-dev)
    • 6b4aa56 : Rework thumbnail cleanup
    • a6b4778 : Fixed Security Vulnerability of DcParamObject
    • 53d42e1 : Update internal ViewPager's SavedState to match Support Library version
    • 47b46a3 : Verify last array's length in readFromParcel
    • 3b39939 : [RTT] ParcelableRttResults parcel code fix
    • bc2ea2b : Fix VerifyCredentialResponse parcelling code
    • 38103a8 : Adjust URI host parsing to stop on \ character.
    • e5c98b1 : Check for null-terminator in ResStringPool::string8At
    • c427337 : Adjust Uri host parsing to use last instead of first @.
    • 0dccfe9 : Use calling user ID when calling isDeviceLocked
    • c81bd42 : mtp: fix double free of thumbnail data

  • platform/frameworks/ex with 2 change(s)
    • fba71e2 : Add bounds checking for transparency lookup
    • 1abf5d7 : Skip composition of frames lacking a color map

  • platform/frameworks/native with 4 change(s)
    • dada6ad : Sanitize InputMessage before sending
    • 20a7a7d : Don't pad before calling writeInPlace().
    • 26f4de9 : Increment when attempting to read protected Parcel Data
    • a7f91e6 : Disallow reading object data from Parcels with non-object reads

  • platform/frameworks/opt/net/wifi with 1 change(s)
    • 5b6734b : RESTRICT AUTOMERGE: WifiServiceImpl: fix and add tethering checks

  • platform/frameworks/opt/telephony with 1 change(s)
    • 462f085 : Fixed Invalid Pdu Issue

  • platform/hardware/qcom/media with 2 change(s)
    • 1f2edf4 : mm-video-v4l2: venc: Avoid buffer access after free
    • f4fc254 : mm-video-v4l2: venc: Protect buffer from being freed while accessing

  • platform/libcore with 1 change(s)
    • 0cc506e : Fix hostname parsing in java.net.URLStreamHandler.

  • platform/packages/apps/Bluetooth with 1 change(s)
    • 8e2b38f : Make sure server response doesn't exceed maximum allowable length

  • platform/packages/apps/Contacts with 1 change(s)
    • 6eab7ba : Patch URI vulnerability in contact photo editing

  • platform/packages/apps/Email with 1 change(s)
    • 874834f : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/apps/Messaging with 1 change(s)
    • 1638226 : Messaging ignores file URIs shared via intent

  • platform/packages/apps/PackageInstaller with 1 change(s)
    • 331c2fe : RESTRICT AUTOMERGE: Always use safe labels

  • platform/packages/apps/Settings with 2 change(s)
    • 3de3563 : Reword bluetooth confirmation dialog
    • 2b093e5 : Set device credential's Window flag to be SECURE.

  • platform/packages/apps/UnifiedEmail with 2 change(s)
    • eabcb8f : Filter Attachment file name of forward slashes for .eml attachments.
    • 6fdccf7 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • 8225282 : Remove "public" download feature.

  • platform/packages/providers/MediaProvider with 1 change(s)
    • 9dd067f : Rework thumbnail cleanup

  • platform/packages/providers/UserDictionaryProvider with 1 change(s)
    • 7df2f49 : Check caller before accessing database

  • platform/packages/services/Telephony with 1 change(s)
    • 2699b3d : Enhanced permission checks for TelephonyManager#endCall() API.

  • platform/system/bt with 18 change(s)
    • 32dabc0 : Fix possible OOB read in process_service_search_rsp
    • 32f7254 : Checks the SMP length to fix OOB read
    • 5e18490 : Fix copy length calculation in sdp_copy_raw_data
    • d742b2e : Don't use Address after it was deleted
    • 8cb3cb8 : Add packet length checks in l2cble_process_sig_cmd
    • be3d38c : SDP: return error on offset bigger than atribute length
    • 2a31489 : Add checks whether the AVDTP element data length is valid
    • 1f2cd40 : BNEP: Fix OOB access in bnep_data_ind
    • 310f805 : Fixes two bluetooth bugs causing remote overreads (2/2)
    • ec47084 : Decrease length after reading from array in process_service_attr_req
    • 1223040 : RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
    • e13b347 : GATT: Handle too short Error Response PDU
    • 1ee7423 : Add PDU size checks in process_service_search_attr_rsp
    • 426d80a : SDP: Pass the bounds to process_service_*_rsp
    • ebd8158 : BNEP: Check received frame type
    • a19f261 : PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
    • 35084b6 : Allocate/free the SDP connection timers only during stack startup/shutdown
    • 09cfeab : Removed alarm callback execution statistics

  • platform/system/core with 2 change(s)
    • 2a458e1 : String16: remove integer overflows
    • 3074519 : libnetutil: Check dhcp respose packet length

  • platform/system/media with 2 change(s)
    • acd9e2e : Camera: Initialize metadata padding field
    • fc5cf6a : Camera metadata: Check source metadata size

  • platform/system/update_engine with 2 change(s)
    • 4354356 : Add SafetyNet logging for payload timestamp error.
    • 22c04f4 : Add maximum timestamp to the payload.

  • platform/system/vold with 1 change(s)
    • 9c0906b : Require quotes when searching for blkid keys.