Android Nougat AOSP Changes

Changes from 7.1.1_r50 (N8I11B) to 7.1.1_r51 (N4F27O):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Updated Components (38):

  • device/htc/flounder with 1 change(s)
    • 8c6d352 : Fix security issue in Visualizer effect

  • device/htc/flounder-kernel with 3 change(s)
    • 5a2b6e8 : flounder: update kernel prebuild (Jul 2017 NYC-MR1 Security)
    • fb053e6 : Revert "flounder: update kernel prebuild (Jan 2017 NYC-MR1 Security)"
    • d6defca : flounder: update kernel prebuild (Jan 2017 NYC-MR1 Security)

  • platform/bionic with 2 change(s)
    • 3dd8fd9 : linker: remove link from external library on unload
    • af2b89d : Check for bad packets in getaddrinfo.c's getanswer.

  • platform/bootable/recovery with 1 change(s)
    • 8c51563 : Add a checker for signature boundary in verifier

  • platform/build with 44 change(s)

  • platform/external/boringssl with 3 change(s)
    • 2209bdc : CVE 2016-2109 fix
    • c82cdce : Always use Fermat's Little Theorem in ecdsa_sign_setup.
    • 389f3a6 : Rewrite BN_bn2dec.

  • platform/external/dng_sdk with 1 change(s)
    • ebd4085 : Throw exception on integer overflow in dng_ifd.cpp.

  • platform/external/libavc with 44 change(s)
    • 4da576e : Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.
    • 411a00e : Decoder: Fixed overflow in refernce list creation.
    • f7fe15d : Initialize DPB structures to valid values.
    • 8f1483b : Added error check for output buffer size.
    • aeab48d : Fixed hang in the case of multiple sps id.
    • f0b3242 : Decoder: Fix in the case of MMCO 6
    • 53d36a4 : Decoder: Cleaned up parse sps function.
    • 64ea48b : Initializing reference list for every P/B slice.
    • e2eb5b1 : Fix resolution change within a decode call.
    • 3773f20 : Decoder: Fixed allocation size of pred info buffer
    • cac3375 : Decoder: Fix end of bitstream error.
    • ceb6280 : Decoder: Fix allocation for Mbaff weight matrix
    • b3e7b89 : Decoder: Initialize MB info buffer to zero.
    • 929c583 : Decoder: Fixed flag u1_top_bottom_decoded.
    • b0c4f7b : Decoder: Added an error check while parsing PPS.
    • 3da38f2 : Fix stack buffer overflow in ih264d_process_intra_mb
    • 611d72b : Decoder: Fix in reference list initialization.
    • b39f9d0 : Decoder: Fixes in accessing mbaff flag in error cases
    • 548b588 : Fix in the case of MMCO 3 (long term reference idx).
    • 87eb124 : Decoder: Fixed number of MB calculation for interlaced error streams
    • e06af0c : Decoder: Fixed error handling for dangling fields
    • ebfae1e : resolve merge conflicts of 3654ad0 to mnc-dr-dev
    • 70377a7 : Decoder: Fixed initialization of first_slice_in_pic
    • 20406fd : Decoder: Moved end of pic processing to end of decode call
    • 1a151ba : Decoder: Treat first slice in a picture as part of new picture always
    • 5b1e606 : Decoder: Return correct error code for slice header errors
    • fdf4e0f : Decoder: Initialize default reference buffers for all pictures
    • f924833 : Fix in returning end of bitstream error for MBAFF
    • 79e21c8 : Decoder: Fixes an out of bound write in bitstream buffer
    • 2941056 : Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read
    • 4b34816 : Decoder: Fix in checking first_mb_in_slice
    • 057906a : Decoder: Increase memory allocation for weights & offsets for interlaced clips
    • 588ae7f : Decoder: Fixed DoS in header decode when no PPS is present
    • 686d1fb : Decoder: Initialize ps_cur_slice-u1_mbaff_frame_flag correctly for error cases
    • 28d6ac6 : Decoder: Fixed an out of bound access while parsing SEI
    • e077964 : Decoder: Fix in MB count in MBAff error handling
    • 66edaca : Call ih264d_deblock_display only for valid process calls
    • 5631b39 : Decoder: Fixed allocation of ps_dec-ps_nbr_mb_row
    • 8acbacd : Decoder: Fixed cur_mb_info initialization in error cases
    • f39228a : Decoder: Fix in error concealment in the case of Mbaff clips
    • 0030772 : Decoder: Fix in the case of error in the first MB in frame.
    • 015fca4 : Decoder: Fix in returning incomplete frame error
    • c8e5ad3 : Decoder: Fix initialization of ps_next_dpb during reference list creation
    • 6403745 : Decoder: Fix in checking for valid profile flags

  • platform/external/libhevc with 25 change(s)
    • f12819e : Limit boundary PU sizes in case of errors
    • e7b7610 : Fix array size for hrd parameters
    • 5370950 : Check number of output buffers and sizes
    • 421090a : Return error for invalid crop parameters
    • 719a02c : Fix OOB issue in nal unit parsing
    • 32ce806 : Set pic_present at end of pic_init instead of beginning
    • f1b81b9 : Handle error return in parse slice
    • 1e5b235 : Fix heap buffer overflow while searching for valid PPS
    • 865b6b1 : Check for buffer overflow in pps/slice header parsing
    • 068e676 : memset SPS to zero
    • e59fb1d : Fix reallocation for new sps
    • 8549298 : Check for cpb cnt in hrd parsing
    • 47e9b74 : Correct Tiles rows and cols check
    • 5d17663 : Set current slice ctb x and y to fill prev incomplete slice
    • e6f04b1 : Check only allocated mv bufs for releasing from reference
    • 0133b2f : Return error from cabac init if offset is greater than range
    • 3bc0f91 : Handle error return from ref list in slice hdr parsing
    • a8c54cf : Return error if SPS parsing reads more bytes than the nal length
    • cbeaf95 : Handle invalid num_reorder_pics & max_dec_pic_buffering in SPS
    • b06fcff : Fix in handling wrong cu_qp_delta
    • 4632037 : Added check for invalid log2_max_transform_block_size in SPS
    • d6e122d : Fixed handling invalid chroma tu size for error clips
    • 2ebdc02 : Fixed out of bound reads in stack variables
    • 8e3e5b1 : Fix in Chroma SAO for non-multiple of 8 height
    • a15d536 : Handle invalid slice_address in slice header

  • platform/external/libmpeg2 with 10 change(s)
    • e460766 : Correcting NumCoeff Check in VLD
    • 8425c2e : Adding Error Check For PictureStructure Param
    • 397159f : Update mbs_left In Case Of Missing Slice
    • 6c62499 : Check For Zero Width/Height in Frame Header
    • 09dcec8 : Check Number of Skip MBs
    • 4f63cc1 : Error Resilience - Check on as_recent_fld[0][1]
    • c1ed402 : Fix Bytes Consumed Issue
    • 052cc94 : Fix in handling header decode errors
    • 8d49341 : Check for Valid Frame Rate in Header
    • 01f3db4 : Error Check for VLD Symbols Read

  • platform/external/libnfc-nci with 1 change(s)
    • 3e3d4ce : Fix native crash in nfc_ncif_proc_activate

  • platform/external/libnl with 2 change(s)
    • 07561d9 : Perform range check on len in nlmsg_reserve
    • 7dd2dbd : libnl: Check data length in nla_reserve / nla_put

  • platform/external/libopus with 1 change(s)
    • 9eff1d5 : Ensure that NLSF cannot be negative when computing a min distance between them

  • platform/external/libvpx with 3 change(s)
    • 05184fc : Limit vpx decoder to 4K frames
    • e7da1ed : libvpx: Cherry-pick 1961a92 from upstream
    • 0603d0c : vp8:fix threading issues

  • platform/external/skia with 1 change(s)
    • 440638d : Fix out of bounds memory read in GIFMovie.cpp

  • platform/external/sonivox with 4 change(s)

  • platform/external/tremolo with 3 change(s)
    • db70f58 : Use heap instead of alloca in res012.c
    • 4e76a6e : Always use unsigned char
    • b61055f : Tremolo: fix ARM assembly code for decode_map type 3 case

  • platform/frameworks/av with 48 change(s)
    • 6701dd3 : MPEG4Source: fix fragmented read.
    • 89a1edc : stagefright: fix crash due to bad timestamp index
    • b1a1cce : stagefright: check aac_frame_length to prevent infinite loop
    • 006badf : MediaPlayerService: fix access of mPlayer in client
    • 7e41ba5 : audio effects: filter reserved effect commands
    • 0c18b2e : MPEG4Extractor: ensure returned status is checked.
    • 8fed620 : Change MPEG2 reinit Error Handling
    • 6ee4ab6 : Track: Check buffer size of static tracks
    • c1d0a3c : MPEG4Extractor: check size for yrrc box
    • a55e646 : AudioFlinger: Fix memory allocation for client-less tracks
    • 2e06b35 : Notify Errors Appropriately from SoftMPEG2
    • 106b034 : EffectBundle: Check value size for get preset name
    • d8c0143 : Fix TOCTOU problem in libstagefright_soft_aacenc
    • f6a7fbb : Fix security vulnerability: Equalizer setParameter memory overflow
    • 15b0e4d : RESTRICT AUTOMERGE Check the buffer index from acquireBuffer
    • a180dfb : better manage buffer for libstagefright_soft_mpeg4enc
    • 561cabd : m4v_h263: update width/height only when they are valid.
    • a841d4e : m4v_h263: check header first before decoding a frame.
    • fa5abc9 : Fix integer overflow in mediadrmserver
    • 2893492 : Fix potential leak
    • 86ba6a6 : Modifying MetaData invalidates previous char*
    • d590200 : Fix memory leak in error case
    • b141632 : Limit ogg packet size
    • 2ba843c : Prevent OOB write in soft_avc encoder
    • 3277238 : Don't allow using or allocating a buffer after the first state transition
    • 9d5ee26 : Avoid crash for stss sync sample number 0
    • e707523 : FLACExtractor: copy protect mWriteBuffer
    • a03bccc : Add bounds check in SoftAACEncoder2::onQueueFilled()
    • 23a4e08 : Fix NPDs in h263 decoder
    • 4e85c47 : Fix out of bounds access
    • 5e7096d : Fix integer overflow and divide-by-zero
    • c95878a : Validate lengths in HEVC metadata parsing
    • d370c15 : codecs: handle onReset() for a few encoders
    • 28f25f1 : AudioFlinger: Check framecount overflow when creating track
    • 70debbc : resolve merge conflicts of 79cf158c51 to mnc-dev
    • 2f78c70 : EffectBundle: check nb channels to write speaker angles
    • 3247c85 : Fix overflow check and check read result
    • cb15fe4 : CameraBase: Don't return an sp by reference
    • 5109209 : avc_utils: skip empty NALs from malformed bistreams
    • 976f76a : Don't initialize sync sample parameters until the end
    • 0eae364 : Fix security vulnerability: potential OOB write in audioserver
    • ee169b8 : Effect: Use local cached data for Effect commit
    • 20cd1ea : Fix security vulnerability: Effect command might allow negative indexes
    • 16e7fa2 : Make VBRISeeker more robust
    • a1712f7 : Effects: Check get parameter command size
    • b57c79b : Fix security vulnerability: Equalizer command might allow negative indexes
    • 12ac1ae : stagefright: remove allottedSize equality check in IOMX::useBuffer
    • 6e6e992 : Visualizer: Check capture size and latency parameters

  • platform/frameworks/base with 23 change(s)
    • cc29b09 : Back-port fixes for b/62196835
    • 37a1727 : Close connection before retrying
    • 5312011 : ZygoteInit: Remove CAP_SYS_RESOURCE
    • 9a5f25a : system_server: add CAP_SYS_PTRACE
    • 4d0c0b2 : Make a11y node info parceling more robust
    • be847ca : Fix issue with saving admins before finishing loading.
    • 730cf1b : resolve merge conflicts of ad4aa1ce7d3d to nyc-mr1-dev fix conflict in nyc-mr2-release Change-Id: I97ef31536cd06495a08a3f94f81df2d1376186e0
    • c0748ad : Protect Bluetooth OPP ACCEPT and DECLINE broadcast fix merge conflict into nyc-mr1-release branches Non-system apps could send these, and accept OPP transfers without user interaction.
    • 619294b : Fixed the logic for tethering provisioning re-evaluation
    • 0aa690c : Fix exploit where can hide the fact that a location was mocked am: a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344 am: d28eef0cc2 am: 1f458fdc66 am: d82f8a67fc am: 1ac8affd51 am: 56098f81b6 am: 7cec76de0f am: 2da05d0f9e
    • 516878f : Fix issue with saving admins before finishing loading.
    • 3dc78b6 : resolve merge conflicts of ad4aa1ce7d3d to nyc-mr1-dev
    • 1408ffa : Add @GuardedBy annotation to PersistentDataBlockService#mIsWritable.
    • 6a6fe03 : Prevent writing to FRP partition during factory reset.
    • a683cda : Fix vulnerability in MemoryIntArray
    • badbe4e : Zygote : Block SIGCHLD during fork.
    • 79a52bb : Fix idmap leak in zygote process
    • 9b2c33c : Zygote: Additional whitelisting for legacy devices.
    • 2b074fa : Zygote: Additional whitelists for runtime overlay / other static resources.
    • d9f38b1 : Public volumes belong to a single user.
    • 20626d4 : Add SafetyNet logging to DHCP packet parsing
    • ec7bb1d : Reject DHCP packets with no magic cookie
    • 1af48bb : Catch runtime exceptions when parsing DHCP packets

  • platform/frameworks/ex with 2 change(s)
    • 3f8da55 : resolve merge conflicts of 89cdd4cb to mnc-dev
    • 854f11a : resolve merge conflicts of 3802db4 to mnc-dev

  • platform/frameworks/native with 10 change(s)
    • acb44f4 : fix race condition that can cause a use after free
    • ab23ef3 : libgui: check for invalid slot in attachBuffer
    • a37af6f : libgui: Check slot received from IGBP in Surface
    • b479f1d : ui: Fix bad size check in Fence::unflatten
    • 198090d : Fix security vulnerability
    • 079e79c : Fix security vulneratibly 31960359
    • dc6d25f : Fix SF security vulnerability: 32706020
    • 65dd433 : Correct overflow check in Parcel resize code
    • cb7eff6 : Fix SF security vulnerability: 32660278
    • 8163b88 : Fix integer overflow in unsafeReadTypedVector

  • platform/frameworks/opt/net/wifi with 2 change(s)
    • c9aa0df : cherry-pick: wifinative jni: check array length for trackSignificantWifiChange
    • dceb463 : configparse: do not delete passpoint configuration file

  • platform/hardware/broadcom/wlan with 4 change(s)
    • fbeac26 : net: wireless: bcmdhd: update bcm4354/4356 FW (7.35.101.8)
    • 98ba63a : net: wireless: bcmdhd: update bcm4354/56 FW (7.35.101.6)
    • e760be1 : net: wireless: bcmdhd: adding bssid count NL attribute in SWC config
    • c60518d : net: wireless: bcmdhd: update bcm4354/56 FW (7.35.101.5)

  • platform/hardware/libhardware with 1 change(s)
    • 63c974b : Fix security vulnerability: potential OOB write in audioserver

  • platform/hardware/qcom/audio with 4 change(s)
    • 62b3932 : Equalizer: Check value size for get preset name
    • 37f5294 : Fix security vulnerability: Equalizer setParameter memory overflow
    • 51e4565 : Fix security vulnerability: Effect command might allow negative indexes
    • 74f4b13 : Fix security vulnerability: Equalizer command might allow negative indexes

  • platform/libcore with 5 change(s)
    • 766b605 : Proper fix for rejecting ftp URL with /r/n.
    • 78da9d6 : Test for rejection of ftp URL with /r/n in userinfo
    • bbcb2cc : Fix URLTest#testAtSignInUserInfo failure
    • 41e7822 : Pull upstream fix for CVE-2016-5552
    • dae6afd : Fix URL parser may return wrong host name

  • platform/packages/apps/Bluetooth with 3 change(s)
    • 6cfdc16 : Prevent OPP from opening files that aren't sent over Bluetooth
    • d8b4a6c : OPP: Restrict file based URI access to external storage
    • 22d032f : Remove MANAGE_DOCUMENTS permission as it isn't needed

  • platform/packages/apps/CertInstaller with 2 change(s)
    • 0c3623d : WifiInstaller: add permission for access downloaded files
    • 66c86a6 : WifiInstaller: remove the installation file

  • platform/packages/apps/ContactsCommon with 1 change(s)
    • bb07eb5 : resolve merge conflicts of 9f523b4 to nyc-dev

  • platform/packages/apps/Messaging with 6 change(s)
    • 532c96f : 37742976 - Catch bad gifs
    • b2d8d72 : 32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap-Colors[colorIndex]
    • ef5244a : 33388925 Mismatched new vs delete in framesequence library
    • 1da8691 : resolve merge conflicts of eafd58a to nyc-dev
    • d599d42 : 32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app.
    • a60fa15 : 32322450 Security Vulnerability - heap buffer overflow in libgiftranscode.so

  • platform/packages/apps/Nfc with 1 change(s)
    • d1b5ec8 : Add READ_EXTERNAL_STORAGE for file based Uri while beaming.

  • platform/packages/apps/PackageInstaller with 1 change(s)
    • 18936da : Prioritize package installer intent filter

  • platform/packages/apps/Settings with 3 change(s)
    • 81ff923 : Back-port ag/2491664
    • 08869b3 : Fix phishing attack in ChooseLockGeneric
    • 08b8b9b : resolve merge conflicts of 3964c51bf2 to nyc-dev

  • platform/packages/apps/UnifiedEmail with 1 change(s)
    • 0797acb : Don't allow file attachment from /data through GET_CONTENT.

  • platform/packages/services/Telephony with 2 change(s)
    • ad7643c : Added permission check for setCellInfoListRate
    • dda466a : Catch SIP exceptions which can crash Phone process on answer.

  • platform/system/bt with 9 change(s)
    • bf6f32b : Add missing extension length check while parsing BNEP control packets
    • 85dab2d : Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
    • 5462195 : Add a missing check for PAN buffer size before copying data
    • cd6eefb : Add missing packet length checks while parsing BNEP control packets
    • 5196e85 : Add missing continuation offset check for SDP continuation requests
    • 3e8734c : Disable PAN Reverse Tethering when connection originated by the Remote
    • 8c87b2c : Allocate buffers of the right size when BT_HDR is included
    • b467e30 : Check LE advertising data length before caching advertising records
    • c40d71a : resolve merge conflicts of a3ee2e35 to nyc-dev

  • platform/system/core with 2 change(s)
    • 96d2e28 : Fix out of bound read in libziparchive
    • cd77f5e : change /data/bugreports to /bugreports

  • platform/system/sepolicy with 2 change(s)
    • ca0b449 : system_server: replace sys_resource with sys_ptrace
    • 1d145be : label /bugreports