Android Nougat AOSP Changes

Changes from 7.1.1_r58 (N9F27M) to 7.1.1_r59 (NMF26O):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Updated Components (67):

  • device/asus/fugu with 3 change(s)
    • a04581f : update media_codecs_performance.xml
    • 4a39caa : update media_codecs_performance.xml
    • e31f75d : dexpreopt: make significantly more room for l10n builds

  • device/google/dragon with 1 change(s)
    • b047135 : Fix audio record pre-processing

  • device/google/marlin with 2 change(s)
    • 475df60 : sepolicy: grant thermal-engine sys_boot
    • 3b48a49 : Add a thermal shutdown to marlin

  • device/htc/flounder with 1 change(s)
    • cd55db6 : Fix security issue in Visualizer effect

  • platform/art with 1 change(s)
    • 0484f8b : Use conservative permissions when creating files in ART

  • platform/bionic with 2 change(s)
    • 8e89000 : linker: remove link from external library on unload
    • f961c5a : Check for bad packets in getaddrinfo.c's getanswer.

  • platform/bootable/recovery with 1 change(s)
    • 4d93a31 : Add a checker for signature boundary in verifier

  • platform/build with 14 change(s)
    • b84fd0a : Specify --max_timestamp when calling brillo_update_payload.
    • a081c9b : Update Security String to 2017-05-01 on nyc-dev
    • 04d1c9b : Update Security String to 2017-04-01 on nyc-dev
    • 06777dc : Updating Security String to 2017-03-01 on nyc-dev
    • 42f3b01 : Update Security String to 2017-02-01 on nyc-dev
    • c5865f0 : Updating Security String to 2017-01-01 on nyc-dev
    • b0373ed : NMF26O
    • 1af9291 : NMF26N
    • bb74ad8 : NMF26M
    • c16220e : NMF26L
    • 634a3b3 : NMF49
    • 77297c8 : NMF26K
    • 890b9c9 : NMF26J
    • 53d8a4a : NMF26I

  • platform/cts with 2 change(s)
    • c1a0f8a : StagefrightTest: add CTS test for bug 32322258
    • f35297b : StagefrightTest: add test for bug 32577290

  • platform/external/aac with 1 change(s)
    • 1b3ca9d : Fix out of bound memory access in lppTransposer

  • platform/external/boringssl with 2 change(s)

  • platform/external/bouncycastle with 1 change(s)
    • a583d49 : Fix probable prime confidence calculations.

  • platform/external/chromium-libpac with 1 change(s)
    • 7f81e6e : Test for error in handling getters changing element kind.

  • platform/external/curl with 1 change(s)
    • 1679db4 : Disable unused protocols.

  • platform/external/dng_sdk with 1 change(s)
    • 33e1e3e : Throw exception on integer overflow in dng_ifd.cpp.

  • platform/external/dnsmasq with 2 change(s)
    • 0ae6a86 : Add extra (size_t) cast to avoid compiler warning.
    • 440e7dc : Make dnsmasq more stable.

  • platform/external/e2fsprogs with 1 change(s)
    • 36d1c8b : Ignore quotes in safe_print().

  • platform/external/libavc with 65 change(s)
    • 04d88f2 : Decoder: Delete node from st if lt and st point to same
    • 6763472 : decoder: Signal IVD_RES_CHANGED error for change in crop params
    • 96d5635 : Bug fix for flush without valid frames
    • 2fcf16d : Decoder: Modify setting short term reference field flag
    • 557b2b8 : Encoder: Return error for odd resolution
    • 7eae985 : Decoder: Set prev slice type for I slice.
    • 2b760c0 : Decoder: Fixed reset values in parse sps.
    • ff84801 : Decoder: Fixed memory overflow in shared display mode.
    • fab6c6a : Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.
    • 94724f3 : Decoder: Modified loop condition while parsing ref_list_reordering.
    • 91434e2 : Decoder: Handle dec_hdl memory allocation failure gracefully
    • 1b0b71d : Decoder: Detect change of mbaff flag in SPS
    • dd13c11 : Decoder: Increased allocation and added checks in sei parsing.
    • 4725456 : Decoder: Fixed incorrect use of mmco parameters.
    • 289a959 : Decoder: Fixed hang in the case of dangling field
    • b7bbfdb : Decoder: Updated error check while parsing num_ref_idx_lx_active.
    • 9736df6 : Decoder: Corrected variable datatypes in ih264d_get_implicit_weights.
    • e0ae59f : Decoder: Conceal picture only if valid picture buffer is obtained.
    • 69bdd80 : Added an out of bound check on u4_num_bufs in input argument
    • c6165b1 : Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.
    • afe9ac3 : Decoder: Fixed overflow in refernce list creation.
    • e314ebd : Initialize DPB structures to valid values.
    • 9ae3d40 : Added error check for output buffer size.
    • db578bc : Fixed hang in the case of multiple sps id.
    • 91b7aba : Decoder: Fix in the case of MMCO 6
    • b09a653 : Decoder: Cleaned up parse sps function.
    • f3f937d : Initializing reference list for every P/B slice.
    • fe5ef5f : Fix resolution change within a decode call.
    • 8bf15cc : Decoder: Fixed allocation size of pred info buffer
    • d301cd3 : Decoder: Fix end of bitstream error.
    • 1716850 : Decoder: Fix allocation for Mbaff weight matrix
    • 57af50c : Decoder: Initialize MB info buffer to zero.
    • 9b658e2 : Decoder: Fixed flag u1_top_bottom_decoded.
    • c4b640f : Decoder: Added an error check while parsing PPS.
    • 36aa8a0 : Fix stack buffer overflow in ih264d_process_intra_mb
    • 9c4267d : Decoder: Fixes in accessing mbaff flag in error cases
    • 31f6216 : Fix in the case of MMCO 3 (long term reference idx).
    • 004e0bf : Decoder: Fixed number of MB calculation for interlaced error streams
    • c64f6fd : Decoder: Fix in reference list initialization.
    • 9bdef75 : Fixing a check in ih264d_parse_slice.c
    • c0d5dc5 : :Decoder: Moved end of pic processing to end of decode call
    • e7d1d1a : Decoder: Treat first slice in a picture as part of new picture always
    • 77694e4 : Decoder: Fixed initialization of first_slice_in_pic
    • 1b10a85 : Fix in returning end of bitstream error for MBAFF
    • 33e184e : Decoder: Initialize default reference buffers for all pictures
    • 393fa62 : Decoder: Return correct error code for slice header errors
    • eff1be2 : Decoder: Fixes an out of bound write in bitstream buffer
    • 2eedaca : resolve merge conflicts of 3654ad0 to mnc-dr-dev
    • a09fb2b : Decoder: Fixed allocation of ps_dec-ps_nbr_mb_row
    • cd7f5ce : Decoder: Fix in the case of error in the first MB in frame.
    • a0fb672 : Decoder: Fixed cur_mb_info initialization in error cases
    • 410bad2 : Decoder: Fix in returning incomplete frame error
    • c8bfb5d : Decoder: Fix initialization of ps_next_dpb during reference list creation
    • c181790 : Decoder: Fix in error concealment in the case of Mbaff clips
    • fbc52de : Decoder: Fix in the case of error in the first MB in frame.
    • cd551e2 : Decoder: Fixed allocation of ps_dec-ps_nbr_mb_row
    • 9ee314a : Call ih264d_deblock_display only for valid process calls
    • 64d2e6b : Decoder: Fix in MB count in MBAff error handling
    • 637d5ae : Decoder: Fixed an out of bound access while parsing SEI
    • 40f533a : Decoder: Initialize ps_cur_slice-u1_mbaff_frame_flag correctly for error cases
    • c7261f5 : Decoder: Increase memory allocation for weights & offsets for interlaced clips
    • 70dcbc9 : Decoder: Fixed DoS in header decode when no PPS is present
    • 67e8c0d : Decoder: Fix in checking first_mb_in_slice
    • e279385 : Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read
    • 404b451 : Decoder: Fix in checking for valid profile flags

  • platform/external/libhevc with 50 change(s)
    • e74332c : Add push-pop for Neon D8-D15 registers
    • 2e3e140 : Add few more checks for invalid parameters in sps
    • 58117bd : Add missing return check for short_term_ref_pic_set()
    • cb2f139 : Add bounds check for tile dimensions
    • 2a3e5c0 : Decoder: Signal IVD_RES_CHANGED error for change in crop params
    • 16a0bce : Add limits check for the CTB position in a frame
    • 956efdd : Return error for invalid st/lt sps parameters
    • a473f96 : Add limits check for depth hierarchy sps parameters
    • b0b652b : Return error for invalid sps sub layers parameters
    • e9a3c4d : Return error for invalid reorder parameter
    • c29b138 : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • 12fd9b5 : Fix output buffer size check
    • 8dbc3c9 : Update ctb pu map for I slice
    • cba3f83 : Check if luma wd and ht are multiple of min cb size
    • cd03863 : Fix first frame error return
    • b7709c1 : Add PUSH-POP of D registers in Arm Neon 32 bit functions
    • de3dfbf : Fixed few issues in SAO arm assemblies
    • 6826390 : Return error for negative crop parameters
    • 08d227a : Fix incomplete frame error
    • e234a5a : Decoder: Handle ps_codec_obj memory allocation failure gracefully
    • 2494267 : Fix slice address zero for not first slice in pic
    • 87e7ef3 : Fix prev slice incomplete check
    • 66862cd : Set error skip ctbs as multiple 8x8 pus
    • 7b6e6dc : Alloc extra bytes for bits buf for parse optimzation
    • 210d803 : Added an out of bound check on u4_num_bufs in input argument
    • bd5ddf3 : Fix tile index buf alloc size
    • 67770a7 : Ensure CTB size 16 for clips with tiles and width/height = 4096
    • 6aca7d7 : Fix slice decrement for skipped slices
    • 45b2f4c : Fix array size for hrd parameters
    • de48d4e : Return error for invalid crop parameters
    • 40f470e : Limit boundary PU sizes in case of errors
    • cab52b6 : Check number of output buffers and sizes
    • c1b27ac : Fix OOB issue in nal unit parsing
    • 05af643 : Set pic_present at end of pic_init instead of beginning
    • 77efc49 : Handle error return in parse slice
    • 759c6b0 : Fix heap buffer overflow while searching for valid PPS
    • 24391bb : Check for buffer overflow in pps/slice header parsing
    • 2e9f8a6 : memset SPS to zero
    • 70b133a : Fix reallocation for new sps
    • b4bb41d : Check for cpb cnt in hrd parsing
    • 80755f7 : Set current slice ctb x and y to fill prev incomplete slice
    • 8517b27 : Correct Tiles rows and cols check
    • 799ce49 : Check only allocated mv bufs for releasing from reference
    • 7cf440e : Fix in handling wrong cu_qp_delta
    • 99d97e8 : Handle invalid num_reorder_pics & max_dec_pic_buffering in SPS
    • 2198a9a : Added check for invalid log2_max_transform_block_size in SPS
    • 56ef5e7 : Fixed out of bound reads in stack variables
    • 2462e77 : Fixed handling invalid chroma tu size for error clips
    • 36b9d19 : Fix in Chroma SAO for non-multiple of 8 height
    • 04446e8 : Handle invalid slice_address in slice header

  • platform/external/libmpeg2 with 28 change(s)
    • 010d1ce : Add push-pop for Neon D8-D15 registers
    • 1ce9fdd : Handle Unsupported Dimensions in Test App
    • 101a163 : Adding check for min_width and min_height
    • 0c9068a : Adding Check For Number of Skip MBs
    • b131eed : Adding Internal Input Buffer
    • 1098e6d : Fixing Underflow of ps_dec-u2_num_mbs_left
    • 3a448da : Adding Error Check for Output Buffer Size
    • 7f58578 : Correcting Buffer Allocation for Shared Display
    • 41f79e9 : Adding Error Check for f_code Parameters
    • bd5e571 : Reject Multiple seq_hdr With Different Dimensions
    • 63de583 : Update num_mbs_left When mb_x is Reset.
    • 4f4e2d2 : DoS error - Bitstream Overflow
    • d0ecf94 : Fix Error When Input Buffer is Full
    • ad3f27b : Fix Half Pel MC on Last Ref Row
    • 0da705d : Check on Picture Dimensions
    • 9925028 : Check Number of MBs to Skip.
    • f7a8a46 : Replace memcpy with memmove to Solve Memory Overlap Error
    • 4966a23 : Propagating Error From impeg2d_pre_pic_dec_proc
    • 54f9fe0 : Fixed Memory Overflow Errors
    • 3ebbb49 : Correcting NumCoeff Check in VLD
    • 1664b7d : Adding Error Check For PictureStructure Param
    • c057188 : Update mbs_left In Case Of Missing Slice
    • 61cbf78 : Check For Zero Width/Height in Frame Header
    • 06b3ac4 : Check Number of Skip MBs
    • 055659b : Error Resilience - Check on as_recent_fld[0][1]
    • 9a53689 : Fix Bytes Consumed Issue
    • ec0a66b : Check for Valid Frame Rate in Header
    • e3f9ea5 : Error Check for VLD Symbols Read

  • platform/external/libnfc-nci with 23 change(s)
    • b0fd3c5 : Fix heap overflow in nfa_rw_store_ndef_rx_buf
    • 7dd06dd : Prevent OOB read in rw_i93_process_sys_info()
    • c9b6ad4 : Prevent OOB error in rw_i93_sm_update_ndef()
    • 1edc17f : Prevent OOB error in rw_i93_sm_read_ndef()
    • b264b71 : Prevent OOB error in rw_i93_sm_detect_ndef()
    • 4307608 : Prevent integer underflow in rw_t3t_act_handle_check_ndef_rsp()
    • ee874a1 : Prevent integer underflow in rw_t2t_handle_tlv_detect_rsp()
    • da74da6 : Prevent Out of bounds read in ce_t4t.cc
    • b8b8d18 : Prevent OOB read in rw_t3t_act_handle_ndef_detect_rsp()
    • 4601eaf : Prevent Out of bounds write in rw_t3t_handle_get_sc_poll_rsp()
    • fcc65fa : Fix heap overflow in NFA_SendRawFrame()
    • 1f9f29a : Prevent Integer Overflow in rw_t3t_act_handle_check_rsp()
    • 218a6e7 : Prevent OOB read in rw_t3t_update_block()
    • e6b3a6b : Fix CVE
    • 1ba3239 : Prevent Out of bound error in phNxpNciHal_process_ext_rsp
    • 21da577 : Prevent Out of bound error in llcp_dlc_proc_rr_rnr_pdu()
    • e93131a : Prevent Out of bounds read/write in nfc_ncif_set_config_status
    • 1e828d2 : Prevent Out of bounds read in llcp_dlc
    • ee8cb36 : Improve AGF PDU integrity check to prevent OOB error
    • 95a3d68 : Prevent OOB error in nfc_ncif_proc_get_routing()
    • c1e8451 : Prevent Out of bounds read in llcp_util
    • 482a31e : Prevent OOB error for T2T read/writes
    • 4879b6f : Fix native crash in nfc_ncif_proc_activate

  • platform/external/libnl with 2 change(s)
    • 10376ed : Perform range check on len in nlmsg_reserve
    • 54d08c6 : libnl: Check data length in nla_reserve / nla_put

  • platform/external/libopus with 1 change(s)
    • 2fe2c11 : Ensure that NLSF cannot be negative when computing a min distance between them

  • platform/external/libvpx with 6 change(s)
    • 938648d : Fixes a double free in ContentEncoding
    • 7edb4d7 : Check there is only one settings per ContentCompression
    • 1aed3ab : libwebm: Cherrypick 5a41830 from upstream
    • f60cd35 : Limit vpx decoder to 4K frames
    • b180545 : libvpx: Cherry-pick 1961a92 from upstream
    • be6b4a2 : vp8:fix threading issues

  • platform/external/libxml2 with 1 change(s)
    • 93a8ba1 : RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

  • platform/external/neven with 1 change(s)
    • ed1bc3a : Make bound check proper in bbf_Scanner_addOutPos

  • platform/external/sfntly with 1 change(s)
    • 6a8b857 : Fix uninitialized value in sfntly

  • platform/external/skia with 5 change(s)
    • 7a9ded6 : RESTRICT AUTOMERGE: Fix heap buffer overflow
    • d0dda94 : RESTRICT AUTOMERGE: Add SkAndroidFrameworkUtils::SafetyNetLog
    • b9f8003 : RESTRICT AUTOMERGE: Cherry-pick "begin cleanup of malloc porting layer"
    • 62a7c21 : Fix SkFILEStream.
    • 42081da : Fix out of bounds memory read in GIFMovie.cpp

  • platform/external/sonivox with 11 change(s)
    • a63cca3 : sonivox: prevent rejection of good but large MIDI files
    • 51322e1 : sonivox: prevent infinite loop in OTA ringtones
    • ca66aeb : Revert "sonivox: prevent infinite loop in OTA ringtones"
    • 57c51b6 : sonivox: prevent infinite loop in OTA ringtones
    • 22109ff : sonivox: fix hang caused by bad meta-event
    • ab01961 : Add recursion limit to XMF_ReadNode
    • 98075ef : Fix memory leak
    • 0f5db72 : Fix interpolator
    • b60596c : Fix infinite recursion
    • 11277ed : Check chunk size
    • 9b5ea64 : eas_mdls: fix OOB read.

  • platform/external/sqlite with 1 change(s)
    • 034d286 : RESTRICT AUTOMERGE: Apply security patch to sqlite 3.9.

  • platform/external/svox with 1 change(s)
    • e7595d7 : SVOX: Properly initialize buffers.

  • platform/external/tremolo with 7 change(s)
    • 5c78f22 : Add some error/overflow checks in codebook handling
    • 5ab9681 : Fix OOB access in Tremolo
    • 71838f3 : Fix out of bounds access in codebook processing
    • bd717b3 : Use heap instead of alloca in res012.c
    • ed529ef : Always use unsigned char
    • 59090f7 : Fix divide by zero for non-arm processor
    • 80cdebb : Tremolo: fix ARM assembly code for decode_map type 3 case

  • platform/external/v8 with 6 change(s)
    • b50d0ed : Fix type confusion in libpac
    • ce00a75 : [RESTRICT AUTOMERGE] Fix Integer Overflow in libpac
    • 98ae18d : [RESTRICT AUTOMERGE] Fix type confusion in libpac
    • e30b0f1 : [RESTRICT AUTOMERGE] Fix OOB Access in libpac
    • 1222e71 : Fix OOB read in libpac ast-numbering.cc
    • 9beeda5 : Fix type confusion in libpac

  • platform/external/wpa_supplicant_8 with 11 change(s)
    • a9c383a : [wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376
    • 4874e9f : Use BoringSSL to get random bytes
    • f7d35fa : WNM: Fix WNM-Sleep Mode Request bounds checking
    • 821e5a0 : TDLS: Reject TPK-TK reconfiguration
    • ac7d7d1 : Fix PTK rekeying to generate a new ANonce
    • 723382d : Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
    • dde7201 : FT: Do not allow multiple Reassociation Response frames
    • f7b6020 : WNM: Ignore WNM-Sleep Mode Response without pending request
    • 8f88a54 : Prevent installation of an all-zero TK
    • fd7bc4d : hostapd: Avoid key reinstallation in FT handshake
    • cf23c42 : Prevent reinstallation of an already in-use group key

  • platform/frameworks/av with 101 change(s)
    • 8680974 : httplive: detect oom if playlist is infinite
    • 978b5a6 : Fix overflow/dos in 3gg text description parsing
    • cde642e : Remove unused AVIExtractor source
    • 8f42d40 : NuPlayerCCDecoder: fix memory OOB
    • 8398c50 : audio: ensure effect chain with specific session id is unique
    • aaabf88 : AudioFlinger: Prevent multiple effect chains with same sessionId
    • 1d59b1c : Reserve enough space for RTSP CSD
    • 98dd5ce : CTS error while media dump()
    • 2da3b02 : MediaExtractor: stop rendering when an error occurs
    • f4a995e : Check for overflow of crypto size
    • ac98871 : Revert "MediaExtractor: stop rendering when an error occurs"
    • 53f38bf : M3UParser: handle missing EXT-X-MEDIA URIs
    • db3cc61 : MediaExtractor: stop rendering when an error occurs
    • 266b371 : Fix possible out of bounds read
    • bef9f90 : M3UParser: make url on demand
    • 07a2a99 : Speed up id3v2 unsynchronization
    • 86632bc : Sanitize effect descriptors for AudioPolicyService binder calls.
    • 3ccf099 : Add check preventing div0 issue
    • fcb4984 : Init gain config to prevent uninit leak.
    • 9a8e333 : better mpeg2 TS elementary stream Access Unit parsing
    • 4c1ab61 : Handle bad bitrate index in mp3dec.
    • 60061f5 : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • 9775837 : Check NAL size before looking inside
    • 5411aff : RESTRICT AUTOMERGE Prevent MediaPlayerService::Client's use-after-free
    • 444554e : AACExtractor: check bounds during seek
    • ce60c33 : httplive: check for malformed EXT-X-STREAM-INF
    • 9fdfade : Apply input buffer validation also to AVC and MPEG4 encoders
    • 05d970e : IAudioPolicyService: Add attribute tags sanitization
    • b8188ce : Soundtrigger service: fix status reporting in loadSoundModel
    • f834f67 : Access AVCDEC context after create fail check
    • 7cf7c85 : stagefright: MP4Extractor: allow 10% overhead on default sample size
    • e09fae7 : Validate decryption key length to decrypt function.
    • 1300313 : Fix the UAF bug caused by a dead stack variable
    • dbf4c04 : Add EFFECT_CMD_SET_PARAM parameter checking to Preset Reverb
    • 6f84a91 : RESTRICT AUTOMERGE Protect against possible race conditions
    • 08ae378 : SoftAVCDec: Handle zero length input without EOS
    • 9d38226 : Access HEVC context after create fail check
    • c7a6081 : Fix edge case when applying id3 unsynchronization
    • dc6d6ca : Fix information disclosure in mediadrmserver
    • a981cd2 : Soundtrigger service: fix cross deadlock with audio policy service
    • 38a8649 : IMediaExtractor: ensure users to check returned value by getTrack.
    • 405db9c : Fix issues with extractor dumpsys
    • e274868 : OMXNodeInstance: use a lock in freeNode
    • 2dce7a6 : m4v_h263: fix global buffer overflow
    • ed98f89 : AudioPolicyService: Acquire mutex for SoundTriggerSession
    • 5593124 : Revert "Fix memory leaks"
    • 9654b0a : Revert "AudioPolicyService: Acquire mutex for SoundTriggerSession"
    • 96f4e36 : media: Fix a typo in parsing nclc atom.
    • 63134f0 : nuplayer: handle error from MediaCodec in Decoder handleAnOutputBuffer
    • 3b350cb : Track graphic buffer mode in OMXNodeInstance
    • f578324 : Block allocateBufferWithBackup in secure native handle mode
    • c5e90fe : Fix memory leaks
    • d30b566 : EffectBundle: Check parameter and value size
    • 2b0ecd6 : AudioPolicyService: Acquire mutex for SoundTriggerSession
    • bd3eafd : Check buffer size in useBuffer in software components
    • 584d6fe : stagefright: avoid buffer overflow in base64 decoder
    • 28e0213 : Add EFFECT_CMD_SET_PARAM parameter checking to Downmix and Reverb
    • b37c16f : Fix 'potential memory leak' compiler warning.
    • 01d5c60 : Fix memory leak in OggExtractor
    • 01d61e5 : Skip track if verification fails
    • 5b50170 : MPEG4Source: fix fragmented read.
    • 8929c7f : MediaPlayerService: fix access of mPlayer in client
    • a8d0008 : audio effects: filter reserved effect commands
    • 2513d87 : stagefright: fix crash due to bad timestamp index
    • 67da071 : stagefright: check aac_frame_length to prevent infinite loop
    • 61228a7 : MPEG4Extractor: ensure returned status is checked.
    • 9055343 : Change MPEG2 reinit Error Handling
    • 5bd984d : Track: Check buffer size of static tracks
    • ca0e7f6 : Notify Errors Appropriately from SoftMPEG2
    • 8d944ef : AudioFlinger: Fix memory allocation for client-less tracks
    • dff5d9a : MPEG4Extractor: check size for yrrc box
    • b2e99be : EffectBundle: Check value size for get preset name
    • 528405d : Fix TOCTOU problem in libstagefright_soft_aacenc
    • 5a28c9b : Fix security vulnerability: Equalizer setParameter memory overflow
    • fabe74f : RESTRICT AUTOMERGE Check the buffer index from acquireBuffer
    • 678a05e : better manage buffer for libstagefright_soft_mpeg4enc
    • 6e4d0a3 : m4v_h263: update width/height only when they are valid.
    • 6cb798c : m4v_h263: check header first before decoding a frame.
    • 6a4c304 : Fix integer overflow in mediadrmserver
    • a1c82cc : Fix potential leak
    • 5b901b6 : Modifying MetaData invalidates previous char*
    • 2571805 : Fix memory leak in error case
    • ad19589 : Limit ogg packet size
    • 6d7134b : Prevent OOB write in soft_avc encoder
    • d737fc0 : Avoid crash for stss sync sample number 0
    • 3e639e8 : Don't allow using or allocating a buffer after the first state transition
    • 424bf4b : CameraBase: Don't return an sp by reference
    • f11c935 : Fix overflow check and check read result
    • 4dba479 : resolve merge conflicts of 79cf158c51 to mnc-dev
    • 666ef0b : EffectBundle: check nb channels to write speaker angles
    • 4f4835c : Turn off overflow protection for various math functions
    • 5122df7 : avc_utils: skip empty NALs from malformed bistreams
    • 74415c7 : Don't initialize sync sample parameters until the end
    • fed2ad0 : Fix security vulnerability: potential OOB write in audioserver
    • 68a06bf : Effect: Use local cached data for Effect commit
    • f4c9abb : Visualizer: Check capture size and latency parameters
    • c8b53c9 : stagefright: remove allottedSize equality check in IOMX::useBuffer
    • f7cd467 : Fix security vulnerability: Equalizer command might allow negative indexes
    • 6d34199 : Effects: Check get parameter command size
    • d210d8f : Make VBRISeeker more robust
    • 37d75af : Fix security vulnerability: Effect command might allow negative indexes

  • platform/frameworks/base with 74 change(s)
    • a2146f3 : Clear the Parcel before writing an exception during a transaction
    • 5d9661d : Protect VPN dialogs against overlay.
    • ed7a96a : [RESTRICT AUTOMERGE] Make Lock task default behaviour consistent with Settings.
    • dfe22d8 : SUPL ES Extension - June 2019 rollup
    • 5075ddb : Limit IsSeparateProfileChallengeAllowed to system callers
    • 97b6be0 : [RESTRICT AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
    • efd3329 : [RESTRICT AUTOMERGE] Added missing permission check to isPackageDeviceAdminOnAnyUser.
    • eed0c4d : Permission Check For DPM.getPermittedAccessibilityServices
    • 49d9063 : Revert "Adding SUPL NI Emergency Extension Time"
    • 2accf4d : Select only preinstalled Spell Checker Services
    • 3436736 : RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
    • cee7206 : Adding SUPL NI Emergency Extension Time
    • f2348c2 : RESTRICT AUTOMERGE: Recover shady content:// paths.
    • bb720c0 : RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.
    • b237305 : Verify number of Map entries written to Parcel
    • 2e6ad93 : Fix crash during cursor moving on BiDi text
    • 2e1ecb4 : [automerger] Optimise the hit test algorithm am: 71ecf5bd5c am: 42eaa8f932
    • 886d85b : Fix TrackInfo parcel write
    • a1f3539 : Resolve inconsistent parcel read in NanoAppFilter
    • cd3b7fd : RESTRICT AUTOMERGE: Prevent shortcut info package name spoofing
    • e4a1055 : Revert "Optimise the hit test algorithm"
    • 0b54338 : Fix DynamicRefTable::load security bug
    • e610e79 : ResStringPool: Prevenet boot loop from se fix
    • 76c54a0 : Optimise the hit test algorithm
    • ecb2bc3 : Make safe label more safe
    • ea6ca6a : clearCallingIdentity before calling into getPackageUidAsUser
    • 1cad795 : Nullcheck to fix Autofill CTS
    • 77970b4 : RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to nyc-dev)
    • f87201f : ResStringPool: Fix security vulnerability
    • 7b6aa41 : Rework thumbnail cleanup
    • 8903d65 : Fixed Security Vulnerability of DcParamObject
    • b7ffaab : Verify last array's length in readFromParcel
    • d30d938 : Update internal ViewPager's SavedState to match Support Library version
    • be01cad : Fix VerifyCredentialResponse parcelling code
    • 973f0f8 : [RTT] ParcelableRttResults parcel code fix
    • 30d89c9 : Adjust URI host parsing to stop on \ character.
    • 385315c : Check for null-terminator in ResStringPool::string8At
    • 84a217c : Adjust Uri host parsing to use last instead of first @.
    • 8066f29 : mtp: fix double free of thumbnail data
    • d925860 : Use calling user ID when calling isDeviceLocked
    • 67ac393 : Fix ClipboardService device lock check for cross profile
    • ab7e5c2 : Prevent getting data from Clipboard if device is locked
    • 8100bf6 : Stop explicitly using kCallerPasses_Ownership
    • 645eed8 : Revert "Prevent getting data from Clipboard if device is locked"
    • 2936d7d : Revert "Fix ClipboardService device lock check for cross profile"
    • c9dc05d : Fix ClipboardService device lock check for cross profile
    • e91b4d6 : Prevent getting data from Clipboard if device is locked
    • 73188ea : DPC should not be allowed to grant development permission
    • a46477a : Clearing up invalid entries when SyncStorageEngine starts
    • e5a90b5 : Enforce policy for camera gesture in keyguard
    • e5a827c : Fix security hole in GateKeeperResponse.
    • a4fedb6 : Back-port fixes for b/62196835
    • 3b2542e : Close connection before retrying
    • 1afbe7c : ZygoteInit: Remove CAP_SYS_RESOURCE
    • 2e1185a : system_server: add CAP_SYS_PTRACE
    • 3d9d367 : Make a11y node info parceling more robust
    • 521a2b5 : Fixed the logic for tethering provisioning re-evaluation
    • a1cdef5 : Fix issue with saving admins before finishing loading.
    • 9791e34 : resolve merge conflicts of ad4aa1ce7d3d to nyc-mr1-dev
    • 460dfcc : Add @GuardedBy annotation to PersistentDataBlockService#mIsWritable.
    • 40fc549 : Prevent writing to FRP partition during factory reset.
    • ac8e4b9 : Fix exploit where can hide the fact that a location was mocked am: a206a0f17e am: d417e54872 am: 3380a77516
    • eda8dbc : Fix vulnerability in MemoryIntArray
    • 4d61dd2 : Zygote: Additional whitelisting for legacy devices.
    • 4e4e00d : Zygote: Additional whitelists for runtime overlay / other static resources.
    • 6956a8b : Zygote : Block SIGCHLD during fork.
    • 9f53b02 : Fix idmap leak in zygote process
    • 4a79657 : Add SafetyNet logging to DHCP packet parsing
    • 87de360 : Public volumes belong to a single user.
    • 3570784 : Revert "Catch KeyStoreException for setting profile lock"
    • 867ef61 : Catch KeyStoreException for setting profile lock
    • 0804215 : Fixed a bug with the emergency affordance in multi user
    • 84e380e : Catch KeyStoreException for setting profile lock
    • aca11d8 : Fixed a bug with the emergency affordance in multi user

  • platform/frameworks/ex with 4 change(s)
    • 499a75e : Add bounds checking for transparency lookup
    • 4a3eb76 : Skip composition of frames lacking a color map
    • 4cce948 : Handle small sized webps correctly
    • 79a1dd0 : resolve merge conflicts of 3802db4 to mnc-dev

  • platform/frameworks/native with 16 change(s)
    • 9d73a7f : [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets.
    • 4bf11bf : libbinder: readCString: no ubsan sub-overflow
    • 00f21b8 : Sanitize InputMessage before sending
    • 95993ac : Increment when attempting to read protected Parcel Data
    • e369f10 : Don't pad before calling writeInPlace().
    • 53defd8 : Disallow reading object data from Parcels with non-object reads
    • 93cfe56 : fix race condition that can cause a use after free
    • 7be50f6 : libgui: check for invalid slot in attachBuffer
    • 277b287 : libgui: Check slot received from IGBP in Surface
    • db22c62 : ui: Fix bad size check in Fence::unflatten
    • f6f02a1 : Fix security vulnerability
    • 304b9dc : Correct overflow check in Parcel resize code
    • c77ef0e : Fix SF security vulnerability: 32706020
    • 9b8e841 : Fix security vulneratibly 31960359
    • d304bb1 : Fix integer overflow in unsafeReadTypedVector
    • b968aba : Fix SF security vulnerability: 32660278

  • platform/frameworks/opt/net/wifi with 3 change(s)
    • ae6b709 : RESTRICT AUTOMERGE: WifiServiceImpl: fix and add tethering checks
    • f7ab405 : cherry-pick: wifinative jni: check array length for trackSignificantWifiChange
    • dc99b57 : configparse: do not delete passpoint configuration file

  • platform/frameworks/opt/telephony with 1 change(s)
    • 0f1f3e9 : Fixed Invalid Pdu Issue

  • platform/hardware/libhardware with 1 change(s)
    • 2aa891c : Fix security vulnerability: potential OOB write in audioserver

  • platform/hardware/qcom/audio with 4 change(s)
    • 3e923d7 : Equalizer: Check value size for get preset name
    • 164961f : Fix security vulnerability: Equalizer setParameter memory overflow
    • 4d6606d : Fix security vulnerability: Equalizer command might allow negative indexes
    • f567a2a : Fix security vulnerability: Effect command might allow negative indexes

  • platform/libcore with 10 change(s)
    • 615d462 : Fix hostname parsing in java.net.URLStreamHandler.
    • ad72e4c : Fix failing FileTest#test_canonicalCachesAreOff()
    • f51ead9 : Disable File.getCanonicalPath caches.
    • 25f3923 : Proper fix for rejecting ftp URL with /r/n.
    • fae4a07 : Revert "Reject ftp URLConnection containing /r/n in user info."
    • 79bc088 : Reject ftp URLConnection containing /r/n in user info.
    • 500bdd9 : Test for rejection of ftp URL with /r/n in userinfo
    • 7cfdf4d : Fix URLTest#testAtSignInUserInfo failure
    • 865f9a6 : Pull upstream fix for CVE-2016-5552
    • 0649568 : Fix URL parser may return wrong host name

  • platform/packages/apps/Bluetooth with 4 change(s)
    • 56788e9 : Make sure server response doesn't exceed maximum allowable length
    • ef3efc9 : OPP: Restrict file based URI access to external storage
    • e031d6e : Prevent OPP from opening files that aren't sent over Bluetooth
    • 6f84804 : Remove MANAGE_DOCUMENTS permission as it isn't needed

  • platform/packages/apps/CertInstaller with 2 change(s)
    • 758cb77 : WifiInstaller: add permission for access downloaded files
    • e1f2a72 : WifiInstaller: remove the installation file

  • platform/packages/apps/Contacts with 1 change(s)
    • b7f7469 : Patch URI vulnerability in contact photo editing

  • platform/packages/apps/ContactsCommon with 1 change(s)
    • 34d9f2f : resolve merge conflicts of 9f523b4 to nyc-dev

  • platform/packages/apps/Email with 3 change(s)
    • e2e7ac8 : AOSP/Email - bug fix: do not allow composing message with hidden private data attachments.
    • fd45cde : AOSP/Email - Second part of the Security Vulnerability fix - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • fe0e269 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/apps/Messaging with 8 change(s)
    • 2c0aba5 : Messaging ignores file URIs shared via intent
    • 8671cb3 : 37742976 - Catch bad gifs
    • c3ec474 : 33388925 Mismatched new vs delete in framesequence library
    • 6994c83 : 32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap-Colors[colorIndex]
    • 1a640db : 32161610 Security Vulnerability - Information disclosure vulnerability in AOSP Messaging
    • f13c73f : resolve merge conflicts of eafd58a to nyc-dev
    • a5870bb : 32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app.
    • 29dbbe6 : 32322450 Security Vulnerability - heap buffer overflow in libgiftranscode.so

  • platform/packages/apps/Nfc with 2 change(s)
    • d2c9b02 : Prevent OOB write in phFriNfc_ExtnsTransceive
    • 0a93758 : Add READ_EXTERNAL_STORAGE for file based Uri while beaming.

  • platform/packages/apps/PackageInstaller with 2 change(s)
    • 2a78bca : RESTRICT AUTOMERGE: Always use safe labels
    • a7356b7 : Prioritize package installer intent filter

  • platform/packages/apps/Settings with 9 change(s)
    • 5decabb : Do not allow draw on top for App notification settings
    • 2f01ae7 : [RESTRICT AUTOMERGE] Make ScreenPinningSettings behaviour consistent with lock tasks.
    • bc9862d : Do not allow draw on top for default sms picker.
    • 6faebe3 : Reword bluetooth confirmation dialog
    • 86cc2be : Set device credential's Window flag to be SECURE.
    • aca1fb9 : Disabling the activate button when paused
    • 61a6b9b : Back-port ag/2491664
    • 23478c4 : Fix phishing attack in ChooseLockGeneric
    • fdac21f : resolve merge conflicts of 3964c51bf2 to nyc-dev

  • platform/packages/apps/TvSettings with 2 change(s)
    • 7ef9b3a : Provide stub intent filters for CTS
    • abc1728 : Provide stub intent filters for CTS

  • platform/packages/apps/UnifiedEmail with 5 change(s)
    • 608ec5c : AOSP/UnifiedEmail - bug fix to composing messages.
    • 3217d4e : AOSP/Email - Fixed - Security Vulnerability - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • f1b0434 : Filter Attachment file name of forward slashes for .eml attachments.
    • 3554a00 : Disallow attaching files from our own EmailAttachmentProvider.
    • 01506dd : Don't allow file attachment from /data through GET_CONTENT.

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • 261999f : Remove "public" download feature.

  • platform/packages/providers/MediaProvider with 1 change(s)
    • a526b97 : Rework thumbnail cleanup

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • dedfb4f : Check access to user and password fields in APN db

  • platform/packages/providers/UserDictionaryProvider with 1 change(s)
    • 27406af : Check caller before accessing database

  • platform/packages/services/Telecomm with 1 change(s)
    • 4f46d70 : Add flag to default dialer change dialog

  • platform/packages/services/Telephony with 3 change(s)
    • 24ea27a : Added permission check for setCellInfoListRate
    • a98f66b : Catch SIP exceptions which can crash Phone process on answer.
    • c8f5e04 : Not cache empty config bundle.

  • platform/system/bt with 31 change(s)
    • 35d8eee : Fix buffer overflow in btif_dm_data_copy
    • 1c4b508 : Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
    • 2330b3f : Fix possible OOB read in process_service_search_rsp
    • 246579a : Checks the SMP length to fix OOB read
    • ea8f165 : Fix copy length calculation in sdp_copy_raw_data
    • f3b19e5 : Don't use Address after it was deleted
    • 35ff21c : Add packet length checks in l2cble_process_sig_cmd
    • 4423dcf : SDP: return error on offset bigger than atribute length
    • c3a0496 : Add checks whether the AVDTP element data length is valid
    • 5ce88e7 : BNEP: Fix OOB access in bnep_data_ind
    • 7ee96f5 : Fixes two bluetooth bugs causing remote overreads (2/2)
    • acc18c2 : Decrease length after reading from array in process_service_attr_req
    • 4601ec4 : GATT: Handle too short Error Response PDU
    • 58dcbe4 : Add PDU size checks in process_service_search_attr_rsp
    • 27416f5 : RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
    • ae32a03 : PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
    • dbc6bad : BNEP: Check received frame type
    • 5069cdd : SDP: Pass the bounds to process_service_*_rsp
    • 2f05ce6 : Allocate/free the SDP connection timers only during stack startup/shutdown
    • 3077a3d : Removed alarm callback execution statistics
    • 6ba7064 : Read the correct amount of attributes
    • 0863a12 : SDP: Bounds check 'id' parameter for free_sdp_slot()
    • 2e66d94 : Add missing extension length check while parsing BNEP control packets
    • 8b19afa : Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
    • 8833eae : Add a missing check for PAN buffer size before copying data
    • 742f51d : Disable PAN Reverse Tethering when connection originated by the Remote
    • 75a6774 : Allocate buffers of the right size when BT_HDR is included
    • fcd8689 : Add missing packet length checks while parsing BNEP control packets
    • 2caee61 : Add missing continuation offset check for SDP continuation requests
    • 5b571a7 : Check LE advertising data length before caching advertising records
    • b90b669 : Mask out HFP 1.7 feature bits if peer version is 1.7

  • platform/system/core with 6 change(s)
    • 4ec0bcf : String16: remove integer overflows
    • 9fbba97 : libnetutil: Check dhcp respose packet length
    • 11f60c5 : zip_archive: reject files that don't start with an LFH signature.
    • b794272 : Fix integer overflow in utf{16,32}_to_utf8_length
    • f00d581 : Fix out of bound read in libziparchive
    • f2ebb89 : change /data/bugreports to /bugreports

  • platform/system/gatekeeper with 1 change(s)
    • 5f53532 : Remove potential double free

  • platform/system/media with 2 change(s)
    • 1a51632 : Camera: Initialize metadata padding field
    • 263f752 : Camera metadata: Check source metadata size

  • platform/system/sepolicy with 2 change(s)
    • 4df2bdc : system_server: replace sys_resource with sys_ptrace
    • edd3f19 : label /bugreports

  • platform/system/update_engine with 2 change(s)
    • 724f583 : Add SafetyNet logging for payload timestamp error.
    • dd157e3 : Add maximum timestamp to the payload.

  • platform/system/vold with 1 change(s)
    • 60d7059 : Require quotes when searching for blkid keys.