Android Nougat AOSP Changes

Changes from 7.1.1_r49 (N9F27H) to 7.1.1_r50 (N8I11B):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (43):

  • device/asus/fugu with 3 change(s)
    • a04581f : update media_codecs_performance.xml
    • 4a39caa : update media_codecs_performance.xml
    • e31f75d : dexpreopt: make significantly more room for l10n builds

  • device/asus/fugu-kernel with 2 change(s)
    • bbf3c5f : fugu: update prebuilt kernel
    • b9b7a0f : fugu: update prebuilt kernel

  • device/google/marlin with 2 change(s)
    • 475df60 : sepolicy: grant thermal-engine sys_boot
    • 3b48a49 : Add a thermal shutdown to marlin

  • device/htc/flounder with 1 change(s)
    • a37d1ee : Fix security issue in Visualizer effect

  • device/moto/shamu with 2 change(s)
    • 67b5be4 : Revert "Revert "Revert "Path fix for backend connection to FE upon call disconnection"""
    • 8e88ad7 : Revert "audio: fix headset + speaker path"

  • device/moto/shamu-kernel with 8 change(s)
    • 8fddeb0 : Fixing kernel merge conflict (cherry picked from commit ebc0c922a6d9c518c1cd037a3225e48ea3ad8e41)
    • 80f4023 : shamu: update kernel prebuilt
    • a5695fa : shamu: update kernel prebuilt
    • 05ef9b9 : shamu: update prebuilt kernel
    • 49b50bd : shamu: update prebuilt kernel
    • 2b6acb2 : shamu: update prebuilt kernel
    • 0b3b978 : shamu: update prebuilt kernel
    • 8ae7c5f : shamu: update prebuilt kernel

  • platform/bionic with 2 change(s)
    • 0d23f83 : linker: remove link from external library on unload
    • e046081 : Check for bad packets in getaddrinfo.c's getanswer.

  • platform/bootable/recovery with 1 change(s)
    • 2c6c23f : Add a checker for signature boundary in verifier

  • platform/build with 40 change(s)

  • platform/external/boringssl with 3 change(s)
    • 72e9b9e : CVE 2016-2109 fix
    • 0ea0642 : Always use Fermat's Little Theorem in ecdsa_sign_setup.
    • 54bf62a : Rewrite BN_bn2dec.

  • platform/external/dng_sdk with 1 change(s)
    • a17ec13 : Throw exception on integer overflow in dng_ifd.cpp.

  • platform/external/libavc with 43 change(s)
    • de46b8d : Fixed hang in the case of multiple sps id.
    • 85317e6 : Decoder: Fix in the case of MMCO 6
    • 198a235 : Decoder: Cleaned up parse sps function.
    • d3db16f : Initializing reference list for every P/B slice.
    • aba853c : Fix resolution change within a decode call.
    • 09cfe54 : Decoder: Fixed allocation size of pred info buffer
    • f181edf : Decoder: Fix end of bitstream error.
    • 42b30cb : Decoder: Fix allocation for Mbaff weight matrix
    • 6edbd1c : Decoder: Initialize MB info buffer to zero.
    • e956f6d : Decoder: Fixed flag u1_top_bottom_decoded.
    • 01efe03 : Decoder: Added an error check while parsing PPS.
    • dc56a94 : Fix stack buffer overflow in ih264d_process_intra_mb
    • bc3c0aa : Decoder: Fix in reference list initialization.
    • 85e5737 : Decoder: Fixes in accessing mbaff flag in error cases
    • 0d11f63 : Fix in the case of MMCO 3 (long term reference idx).
    • b7e0acb : Decoder: Fixes in accessing mbaff flag in error cases
    • 5ab53da : Decoder: Fixed number of MB calculation for interlaced error streams
    • 2b414a6 : Decoder: Fix in reference list initialization.
    • c1510f1 : Fix in the case of MMCO 3 (long term reference idx).
    • fc06de2 : Decoder: Fixed error handling for dangling fields
    • 33c58f0 : resolve merge conflicts of 3654ad0 to mnc-dr-dev
    • e3c28fd : Decoder: Fixed initialization of first_slice_in_pic
    • d7f020b : Decoder: Moved end of pic processing to end of decode call
    • f9152b9 : Decoder: Treat first slice in a picture as part of new picture always
    • 11d7e64 : Decoder: Return correct error code for slice header errors
    • c75d1a7 : Decoder: Initialize default reference buffers for all pictures
    • 7b7830a : Fix in returning end of bitstream error for MBAFF
    • 809dd02 : Decoder: Fixes an out of bound write in bitstream buffer
    • 6aac820 : Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read
    • 0a4463e : Decoder: Fix in checking first_mb_in_slice
    • 4a61d15 : Decoder: Increase memory allocation for weights & offsets for interlaced clips
    • 19814b7 : Decoder: Fixed DoS in header decode when no PPS is present
    • 0340381 : Decoder: Initialize ps_cur_slice-u1_mbaff_frame_flag correctly for error cases
    • 85c0ec4 : Decoder: Fixed an out of bound access while parsing SEI
    • 21851ea : Decoder: Fix in MB count in MBAff error handling
    • aa78b96 : Call ih264d_deblock_display only for valid process calls
    • ec9ab83 : Decoder: Fixed allocation of ps_dec-ps_nbr_mb_row
    • fd9a12f : Decoder: Fixed cur_mb_info initialization in error cases
    • a467b1f : Decoder: Fix in error concealment in the case of Mbaff clips
    • 0e8b1df : Decoder: Fix in the case of error in the first MB in frame.
    • c4f1525 : Decoder: Fix in returning incomplete frame error
    • 3695b6b : Decoder: Fix initialization of ps_next_dpb during reference list creation
    • cf606f3 : Decoder: Fix in checking for valid profile flags

  • platform/external/libgdx with 8 change(s)
    • 7966b4e : Fix 36385715 heap overflow when loading HDR files
    • 1562b0a : Fix Pixmap overflow. Bug 36621442
    • 62872f6 : Fix series of JPEG vulnerabilities
    • 7ff07af : Fix 36385715 heap overflow when loading HDR files
    • c7345db : Fix heap overflow when loading a PSD. bug 36368305
    • eb13b1f : Security fix for overflow check.
    • fba04a5 : Fix buffer overflows
    • c156e72 : Fix security vulnerability

  • platform/external/libhevc with 21 change(s)
    • 664a201 : Fix OOB issue in nal unit parsing
    • 2299963 : Set pic_present at end of pic_init instead of beginning
    • c1f4979 : Handle error return in parse slice
    • b26bf76 : Fix heap buffer overflow while searching for valid PPS
    • db12d4d : Check for buffer overflow in pps/slice header parsing
    • 19686ab : memset SPS to zero
    • 528d96f : Fix reallocation for new sps
    • 1f0c239 : Check for cpb cnt in hrd parsing
    • 54e337a : Correct Tiles rows and cols check
    • 8bb3e89 : Set current slice ctb x and y to fill prev incomplete slice
    • 3fbadb5 : Check only allocated mv bufs for releasing from reference
    • 32477b0 : Return error from cabac init if offset is greater than range
    • 8f01a47 : Handle error return from ref list in slice hdr parsing
    • b196ae3 : Return error if SPS parsing reads more bytes than the nal length
    • edbd2a6 : Handle invalid num_reorder_pics & max_dec_pic_buffering in SPS
    • d5736d9 : Fix in handling wrong cu_qp_delta
    • dfa7251 : Added check for invalid log2_max_transform_block_size in SPS
    • 3a64694 : Fixed handling invalid chroma tu size for error clips
    • f22345d : Fixed out of bound reads in stack variables
    • e20f6b8 : Fix in Chroma SAO for non-multiple of 8 height
    • b25d141 : Handle invalid slice_address in slice header

  • platform/external/libmpeg2 with 10 change(s)
    • 100c2bd : Correcting NumCoeff Check in VLD
    • 6a97d04 : Adding Error Check For PictureStructure Param
    • 3231d14 : Update mbs_left In Case Of Missing Slice
    • 874325c : Check For Zero Width/Height in Frame Header
    • a2dc168 : Check Number of Skip MBs
    • 6c4b5fc : Error Resilience - Check on as_recent_fld[0][1]
    • 7aeb3df : Fix Bytes Consumed Issue
    • 54a161c : Fix in handling header decode errors
    • 489ecbb : Check for Valid Frame Rate in Header
    • 47a5c8b : Error Check for VLD Symbols Read

  • platform/external/libnfc-nci with 1 change(s)
    • c67cc6a : Fix native crash in nfc_ncif_proc_activate

  • platform/external/libnl with 2 change(s)
    • ec857b5 : Perform range check on len in nlmsg_reserve
    • 77a7bed : libnl: Check data length in nla_reserve / nla_put

  • platform/external/libopus with 1 change(s)
    • 1ad8009 : Ensure that NLSF cannot be negative when computing a min distance between them

  • platform/external/libvpx with 3 change(s)
    • a7c0c91 : Limit vpx decoder to 4K frames
    • 6f5927d : libvpx: Cherry-pick 1961a92 from upstream
    • 145f317 : vp8:fix threading issues

  • platform/external/skia with 1 change(s)
    • df6e8ec : Fix out of bounds memory read in GIFMovie.cpp

  • platform/external/sonivox with 3 change(s)

  • platform/external/tremolo with 2 change(s)
    • 1e904fa : Always use unsigned char
    • a4327f0 : Tremolo: fix ARM assembly code for decode_map type 3 case

  • platform/frameworks/av with 37 change(s)
    • 9939955 : Fix security vulnerability: Equalizer setParameter memory overflow
    • 726ced1 : RESTRICT AUTOMERGE Check the buffer index from acquireBuffer
    • 2665d35 : better manage buffer for libstagefright_soft_mpeg4enc
    • 2ebd22c : m4v_h263: update width/height only when they are valid.
    • d05e70a : m4v_h263: check header first before decoding a frame.
    • 50b9be9 : Fix integer overflow in mediadrmserver
    • 4edf7ba : Fix potential leak
    • d6b5087 : Modifying MetaData invalidates previous char*
    • 2e5c674 : Fix memory leak in error case
    • 3be215b : Limit ogg packet size
    • 75eb630 : Prevent OOB write in soft_avc encoder
    • 6032b25 : Don't allow using or allocating a buffer after the first state transition
    • cf2f0ba : Avoid crash for stss sync sample number 0
    • b33d585 : Avoid crash for stss sync sample number 0
    • f8f19fb : Don't allow using or allocating a buffer after the first state transition
    • 0be0ed5 : FLACExtractor: copy protect mWriteBuffer
    • f8fc1e8 : Add bounds check in SoftAACEncoder2::onQueueFilled()
    • ddc86fc : Fix NPDs in h263 decoder
    • 94a2371 : Fix out of bounds access
    • 76a66d3 : Fix integer overflow and divide-by-zero
    • 1552726 : Validate lengths in HEVC metadata parsing
    • bb1408b : codecs: handle onReset() for a few encoders
    • 51e7260 : AudioFlinger: Check framecount overflow when creating track
    • b39ad06 : resolve merge conflicts of 79cf158c51 to mnc-dev
    • 2395604 : EffectBundle: check nb channels to write speaker angles
    • d9bfa1e : Fix overflow check and check read result
    • f0ce53d : CameraBase: Don't return an sp by reference
    • 5cabe32 : avc_utils: skip empty NALs from malformed bistreams
    • bc62c08 : Don't initialize sync sample parameters until the end
    • 048ba59 : Fix security vulnerability: potential OOB write in audioserver
    • bab10e4 : Effect: Use local cached data for Effect commit
    • e684672 : Fix security vulnerability: Effect command might allow negative indexes
    • 4adf91c : Make VBRISeeker more robust
    • 70b95dd : Effects: Check get parameter command size
    • adb8603 : Fix security vulnerability: Equalizer command might allow negative indexes
    • a09eaa0 : stagefright: remove allottedSize equality check in IOMX::useBuffer
    • 0e1e9f4 : Visualizer: Check capture size and latency parameters

  • platform/frameworks/base with 30 change(s)
    • 8a33f7a : Close connection before retrying
    • 9a559e0 : ZygoteInit: Remove CAP_SYS_RESOURCE
    • f6bf7de : system_server: add CAP_SYS_PTRACE
    • e429f2a : Make a11y node info parceling more robust
    • 6e5b745 : Fix issue with saving admins before finishing loading.
    • aeefec3 : resolve merge conflicts of ad4aa1ce7d3d to nyc-mr1-dev fix conflict in nyc-mr2-release Change-Id: I97ef31536cd06495a08a3f94f81df2d1376186e0
    • e17be37 : Protect Bluetooth OPP ACCEPT and DECLINE broadcast fix merge conflict into nyc-mr1-release branches Non-system apps could send these, and accept OPP transfers without user interaction.
    • b406288 : Do not write if apply() did not change the file.
    • e346265 : Only persist last Shared Preferences state
    • 164437c : Fixed the logic for tethering provisioning re-evaluation
    • 7261a92 : Fix issue with saving admins before finishing loading.
    • 618391b : resolve merge conflicts of ad4aa1ce7d3d to nyc-mr1-dev
    • d22261f : Fix exploit where can hide the fact that a location was mocked am: a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344 am: d28eef0cc2 am: 1f458fdc66 am: d82f8a67fc am: 1ac8affd51 am: 56098f81b6 am: 7cec76de0f am: 2da05d0f9e
    • 5f621b5 : Add @GuardedBy annotation to PersistentDataBlockService#mIsWritable.
    • 1c4d535 : Prevent writing to FRP partition during factory reset.
    • de5747d : Fix vulnerability in MemoryIntArray
    • faf904b : Zygote : Block SIGCHLD during fork.
    • c4b8272 : Fix idmap leak in zygote process
    • 7f0c2c8 : Zygote: Additional whitelisting for legacy devices.
    • f522425 : Zygote: Additional whitelists for runtime overlay / other static resources.
    • def0efd : Public volumes belong to a single user.
    • 25ddf85 : Add SafetyNet logging to DHCP packet parsing
    • ec129c3 : Reject DHCP packets with no magic cookie
    • c28117b : Catch runtime exceptions when parsing DHCP packets
    • ad760e1 : Fix boot loop when upgrading direclty from L to N
    • 3570784 : Revert "Catch KeyStoreException for setting profile lock"
    • 867ef61 : Catch KeyStoreException for setting profile lock
    • 0804215 : Fixed a bug with the emergency affordance in multi user
    • 84e380e : Catch KeyStoreException for setting profile lock
    • aca11d8 : Fixed a bug with the emergency affordance in multi user

  • platform/frameworks/ex with 2 change(s)
    • 7c824f1 : resolve merge conflicts of 89cdd4cb to mnc-dev
    • 30ee0df : resolve merge conflicts of 3802db4 to mnc-dev

  • platform/frameworks/native with 10 change(s)
    • b2f168d : fix race condition that can cause a use after free
    • 32a0a43 : libgui: check for invalid slot in attachBuffer
    • 23506e3 : libgui: Check slot received from IGBP in Surface
    • c2f2750 : ui: Fix bad size check in Fence::unflatten
    • e3fd69c : Fix security vulnerability
    • 541b1eb : Correct overflow check in Parcel resize code
    • 74dae33 : Fix security vulneratibly 31960359
    • 509fb5c : Fix SF security vulnerability: 32706020
    • 38ac668 : Fix SF security vulnerability: 32660278
    • 9a8df9a : Fix integer overflow in unsafeReadTypedVector

  • platform/frameworks/opt/net/wifi with 2 change(s)
    • 004b6dd : cherry-pick: wifinative jni: check array length for trackSignificantWifiChange
    • 41c42f5 : configparse: do not delete passpoint configuration file

  • platform/hardware/broadcom/wlan with 3 change(s)
    • 2d119d0 : net: wireless: bcmdhd: update bcm4354/56 FW (7.35.101.6)
    • e3b033a : net: wireless: bcmdhd: adding bssid count NL attribute in SWC config
    • a81c7ef : net: wireless: bcmdhd: update bcm4354/56 FW (7.35.101.5)

  • platform/hardware/libhardware with 1 change(s)
    • 9f0e940 : Fix security vulnerability: potential OOB write in audioserver

  • platform/hardware/qcom/audio with 3 change(s)
    • 9b4fd30 : Fix security vulnerability: Equalizer setParameter memory overflow
    • 7e12c89 : Fix security vulnerability: Effect command might allow negative indexes
    • a0bfcdb : Fix security vulnerability: Equalizer command might allow negative indexes

  • platform/libcore with 7 change(s)
    • 960cce1 : Proper fix for rejecting ftp URL with /r/n.
    • 7cf8d55 : Test for rejection of ftp URL with /r/n in userinfo
    • 7ed0a6c : Test for rejection of ftp URL with /r/n in userinfo
    • 7034b98 : Reject ftp URLConnection containing /r/n in user info.
    • c82a939 : Fix URLTest#testAtSignInUserInfo failure
    • 54c9bd5 : Pull upstream fix for CVE-2016-5552
    • c55ce33 : Fix URL parser may return wrong host name

  • platform/packages/apps/Bluetooth with 3 change(s)
    • f474940 : Prevent OPP from opening files that aren't sent over Bluetooth
    • d49c1a6 : OPP: Restrict file based URI access to external storage
    • 379e7b6 : Remove MANAGE_DOCUMENTS permission as it isn't needed

  • platform/packages/apps/CertInstaller with 2 change(s)
    • 1ad3b1e : WifiInstaller: add permission for access downloaded files
    • 1166ca8 : WifiInstaller: remove the installation file

  • platform/packages/apps/ContactsCommon with 1 change(s)
    • 80822d7 : resolve merge conflicts of 9f523b4 to nyc-dev

  • platform/packages/apps/Messaging with 5 change(s)
    • 3f98211 : 32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap-Colors[colorIndex]
    • 8ba22b4 : 33388925 Mismatched new vs delete in framesequence library
    • 1bb11f3 : resolve merge conflicts of eafd58a to nyc-dev
    • 13f739b : 32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app.
    • 86e5bf5 : 32322450 Security Vulnerability - heap buffer overflow in libgiftranscode.so

  • platform/packages/apps/PackageInstaller with 1 change(s)
    • 5c49b6b : Prioritize package installer intent filter

  • platform/packages/apps/Settings with 4 change(s)
    • 53f3b26 : Fix phishing attack in ChooseLockGeneric
    • 22b9ff7 : resolve merge conflicts of 3964c51bf2 to nyc-dev
    • 951aef4 : resolve merge conflicts of 3964c51bf2 to nyc-dev
    • e41ac81 : Ignore orientation change to preserve ApnEditor.

  • platform/packages/apps/TvSettings with 2 change(s)
    • 7ef9b3a : Provide stub intent filters for CTS
    • abc1728 : Provide stub intent filters for CTS

  • platform/packages/apps/UnifiedEmail with 1 change(s)
    • 1fc7b01 : Don't allow file attachment from /data through GET_CONTENT.

  • platform/packages/services/Telephony with 3 change(s)
    • c88b976 : Added permission check for setCellInfoListRate
    • 38b45bb : Catch SIP exceptions which can crash Phone process on answer.
    • c8f5e04 : Not cache empty config bundle.

  • platform/system/bt with 4 change(s)
    • 3ac0431 : Check LE advertising data length before caching advertising records
    • 1c6662b : resolve merge conflicts of a3ee2e35 to nyc-dev
    • 2675836 : Remove position dependent lookup tables in AT command parser
    • b90b669 : Mask out HFP 1.7 feature bits if peer version is 1.7

  • platform/system/core with 2 change(s)
    • 5cc8666 : Fix out of bound read in libziparchive
    • 7f94bb4 : change /data/bugreports to /bugreports

  • platform/system/sepolicy with 2 change(s)
    • e9ead7d : system_server: replace sys_resource with sys_ptrace
    • 54a3eec : label /bugreports