Android Nougat AOSP Changes

Changes from 7.1.2_r33 (NZH54D) to 7.1.2_r36 (N2G48H):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Updated Components (30):

  • device/google/dragon with 1 change(s)
    • 4c19fd7 : Fix audio record pre-processing

  • platform/bionic with 1 change(s)
    • e102fae : linker: remove link from external library on unload

  • platform/build with 10 change(s)

  • platform/external/boringssl with 1 change(s)

  • platform/external/dng_sdk with 1 change(s)
    • c702642 : Throw exception on integer overflow in dng_ifd.cpp.

  • platform/external/dnsmasq with 2 change(s)
    • dfd58fc : Add extra (size_t) cast to avoid compiler warning.
    • 62c4f00 : Make dnsmasq more stable.

  • platform/external/libavc with 24 change(s)
    • 90305d2 : Decoder: Fixed hang in the case of dangling field
    • 0804050 : Decoder: Updated error check while parsing num_ref_idx_lx_active.
    • 4088067 : Decoder: Corrected variable datatypes in ih264d_get_implicit_weights.
    • 64229ce : Added an out of bound check on u4_num_bufs in input argument
    • 5fb053b : Decoder: Conceal picture only if valid picture buffer is obtained.
    • a09a8b4 : Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.
    • 1ba09b6 : Decoder: Fixed overflow in refernce list creation.
    • af9bee7 : Initialize DPB structures to valid values.
    • 4efd257 : Added error check for output buffer size.
    • 490bed0 : Fixed hang in the case of multiple sps id.
    • f6650b3 : Decoder: Fix in the case of MMCO 6
    • fe5ade4 : Decoder: Cleaned up parse sps function.
    • efd28f6 : Initializing reference list for every P/B slice.
    • dfbbb54 : Fix resolution change within a decode call.
    • 676c26e : Decoder: Fixed allocation size of pred info buffer
    • 989df73 : Decoder: Fix end of bitstream error.
    • 91cb6b1 : Decoder: Fix allocation for Mbaff weight matrix
    • f02a31d : Decoder: Initialize MB info buffer to zero.
    • 632ff75 : Decoder: Fixed flag u1_top_bottom_decoded.
    • 0d0ddb7 : Decoder: Added an error check while parsing PPS.
    • 989b2af : Fix stack buffer overflow in ih264d_process_intra_mb
    • b8fee6a : Decoder: Fix in reference list initialization.
    • 381ccb2 : Decoder: Fixes in accessing mbaff flag in error cases
    • 62c0746 : Fix in the case of MMCO 3 (long term reference idx).

  • platform/external/libhevc with 20 change(s)
    • c77e054 : Alloc extra bytes for bits buf for parse optimzation
    • 9e7d20a : Added an out of bound check on u4_num_bufs in input argument
    • 83ce23a : Fix tile index buf alloc size
    • d7a83f9 : Fix slice decrement for skipped slices
    • 845c088 : Ensure CTB size 16 for clips with tiles and width/height = 4096
    • 5aa31b4 : Limit boundary PU sizes in case of errors
    • 0d394d8 : Fix array size for hrd parameters
    • eb11877 : Check number of output buffers and sizes
    • 1558873 : Return error for invalid crop parameters
    • e6e353a : Fix OOB issue in nal unit parsing
    • 314a0d0 : Set pic_present at end of pic_init instead of beginning
    • 84732aa : Handle error return in parse slice
    • cc56834 : Fix heap buffer overflow while searching for valid PPS
    • 2210ff5 : Check for buffer overflow in pps/slice header parsing
    • a92b39f : memset SPS to zero
    • 4395fc2 : Fix reallocation for new sps
    • 8e415ea : Check for cpb cnt in hrd parsing
    • ebaa71d : Correct Tiles rows and cols check
    • 14bc167 : Set current slice ctb x and y to fill prev incomplete slice
    • 913d9e8 : Check only allocated mv bufs for releasing from reference

  • platform/external/libmpeg2 with 17 change(s)
    • 2394a9f : Update num_mbs_left When mb_x is Reset.
    • c5be6af : Fix Error When Input Buffer is Full
    • 8dfd635 : Reject Multiple seq_hdr With Different Dimensions
    • ace8141 : DoS error - Bitstream Overflow
    • 7334616 : Propagating Error From impeg2d_pre_pic_dec_proc
    • e7c0673 : Check on Picture Dimensions
    • 0778d90 : Fix Half Pel MC on Last Ref Row
    • 525428b : Check Number of MBs to Skip.
    • 578bf9e : Replace memcpy with memmove to Solve Memory Overlap Error
    • 7c5117d : Fixed Memory Overflow Errors
    • d5f5264 : Correcting NumCoeff Check in VLD
    • f0afcf1 : Adding Error Check For PictureStructure Param
    • 327496c : Update mbs_left In Case Of Missing Slice
    • 08a0d1a : Check For Zero Width/Height in Frame Header
    • 1603112 : Check Number of Skip MBs
    • b8d7e85 : Error Resilience - Check on as_recent_fld[0][1]
    • 680b75d : Fix Bytes Consumed Issue

  • platform/external/libvpx with 1 change(s)
    • 698796f : Limit vpx decoder to 4K frames

  • platform/external/skia with 1 change(s)

  • platform/external/sonivox with 3 change(s)

  • platform/external/tremolo with 3 change(s)
    • 929c4e5 : Fix out of bounds access in codebook processing
    • 8de50b5 : Use heap instead of alloca in res012.c
    • 822af05 : Always use unsigned char

  • platform/external/wpa_supplicant_8 with 8 change(s)
    • 2c8e086 : TDLS: Reject TPK-TK reconfiguration
    • 9a276fc : Fix PTK rekeying to generate a new ANonce
    • 2beb726 : Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
    • ed3bec4 : FT: Do not allow multiple Reassociation Response frames
    • a58997e : WNM: Ignore WNM-Sleep Mode Response without pending request
    • a685d94 : Prevent installation of an all-zero TK
    • 145798f : hostapd: Avoid key reinstallation in FT handshake
    • 2fe07c5 : Prevent reinstallation of an already in-use group key

  • platform/frameworks/av with 44 change(s)
    • 03edcb9 : Soundtrigger service: fix cross deadlock with audio policy service
    • 2e75c7d : OMXNodeInstance: use a lock in freeNode
    • be03007 : IMediaExtractor: ensure users to check returned value by getTrack.
    • f078bbc : Fix issues with extractor dumpsys
    • a16a044 : Fix information disclosure in mediadrmserver
    • 2d675c9 : m4v_h263: fix global buffer overflow
    • 1baa0a2 : AudioPolicyService: Acquire mutex for SoundTriggerSession
    • 4448ac7 : nuplayer: handle error from MediaCodec in Decoder handleAnOutputBuffer
    • 43aa750 : media: Fix a typo in parsing nclc atom.
    • ddc472b : Fix memory leaks
    • f52858d : EffectBundle: Check parameter and value size
    • 8239dfe : Track graphic buffer mode in OMXNodeInstance
    • 4647032 : Block allocateBufferWithBackup in secure native handle mode
    • 442e7cb : Fix 'potential memory leak' compiler warning.
    • 221aa2a : Check buffer size in useBuffer in software components
    • 33b6560 : stagefright: avoid buffer overflow in base64 decoder
    • 4d82d4e : Add EFFECT_CMD_SET_PARAM parameter checking to Downmix and Reverb
    • d9b32c1 : Fix memory leak in OggExtractor
    • 0cf3009 : Skip track if verification fails
    • 8be63d2 : MPEG4Source: fix fragmented read.
    • bac185c : stagefright: fix crash due to bad timestamp index
    • d9ca11f : stagefright: check aac_frame_length to prevent infinite loop
    • b6f0a6e : MediaPlayerService: fix access of mPlayer in client
    • bcb32c4 : audio effects: filter reserved effect commands
    • ed6c3ef : MPEG4Extractor: ensure returned status is checked.
    • b126352 : Change MPEG2 reinit Error Handling
    • 4dc5da0 : Track: Check buffer size of static tracks
    • c84fd5b : MPEG4Extractor: check size for yrrc box
    • 504e9be : AudioFlinger: Fix memory allocation for client-less tracks
    • 44edd4b : Notify Errors Appropriately from SoftMPEG2
    • 5ec80e2 : EffectBundle: Check value size for get preset name
    • e18c398 : Fix TOCTOU problem in libstagefright_soft_aacenc
    • 1d919d7 : Fix security vulnerability: Equalizer setParameter memory overflow
    • 77e075d : RESTRICT AUTOMERGE Check the buffer index from acquireBuffer
    • c101839 : better manage buffer for libstagefright_soft_mpeg4enc
    • b6ec3bb : m4v_h263: update width/height only when they are valid.
    • 26557d8 : m4v_h263: check header first before decoding a frame.
    • 9697478 : Fix integer overflow in mediadrmserver
    • 8995285 : Fix potential leak
    • 64bc0b8 : Modifying MetaData invalidates previous char*
    • c5eaf3a : Fix memory leak in error case
    • 1f418f1 : Limit ogg packet size
    • c7c9271 : Prevent OOB write in soft_avc encoder
    • 1618337 : Don't allow using or allocating a buffer after the first state transition

  • platform/frameworks/base with 13 change(s)
    • ee970aa : Stop explicitly using kCallerPasses_Ownership
    • 1ff2f65 : Fix ClipboardService device lock check for cross profile
    • 93685c7 : Prevent getting data from Clipboard if device is locked
    • 4f062f9 : Clearing up invalid entries when SyncStorageEngine starts
    • aafeb72 : Enforce policy for camera gesture in keyguard
    • c505f55 : Fix security hole in GateKeeperResponse.
    • c217638 : DPC should not be allowed to grant development permission
    • e0e7aa6 : Back-port fixes for b/62196835
    • 6f357fd : Close connection before retrying
    • 40942aa : ZygoteInit: Remove CAP_SYS_RESOURCE
    • 31a72ad : system_server: add CAP_SYS_PTRACE
    • 037fe89 : Fix re-enabling alert window appop after leaving VR mode.
    • 59773dc : Make a11y node info parceling more robust

  • platform/frameworks/native with 4 change(s)
    • 39dfabd : fix race condition that can cause a use after free
    • 5ac63e4 : libgui: check for invalid slot in attachBuffer
    • 75edf04 : libgui: Check slot received from IGBP in Surface
    • 5fc2df2 : ui: Fix bad size check in Fence::unflatten

  • platform/frameworks/opt/net/wifi with 1 change(s)
    • e8beda2 : cherry-pick: wifinative jni: check array length for trackSignificantWifiChange

  • platform/hardware/broadcom/wlan with 3 change(s)
    • d937990 : net: wireless: bcmdhd: update bcm4354/4356 FW (7.35.101.8)
    • 6e10a21 : net: wireless: bcmdhd: update bcm4354/56 FW (7.35.101.6)
    • 313eb3d : net: wireless: bcmdhd: adding bssid count NL attribute in SWC config

  • platform/hardware/intel/common/omx-components with 1 change(s)
    • 8b6554b : Rejected the invalid size of input video buffer.

  • platform/hardware/qcom/audio with 2 change(s)
    • cdd2929 : Equalizer: Check value size for get preset name
    • 234848d : Fix security vulnerability: Equalizer setParameter memory overflow

  • platform/hardware/qcom/media with 1 change(s)
    • 7d95140 : mm-video-v4l2: venc: Protect buffer from being freed while accessing

  • platform/libcore with 4 change(s)
    • dfc5222 : Fix failing FileTest#test_canonicalCachesAreOff()
    • 546474f : Disable File.getCanonicalPath caches.
    • c5dd90d : Proper fix for rejecting ftp URL with /r/n.
    • 9456600 : Test for rejection of ftp URL with /r/n in userinfo

  • platform/packages/apps/Bluetooth with 2 change(s)
    • 14b7d7e : Prevent OPP from opening files that aren't sent over Bluetooth
    • f196061 : OPP: Restrict file based URI access to external storage

  • platform/packages/apps/Messaging with 1 change(s)
    • 623ab51 : 37742976 - Catch bad gifs

  • platform/packages/apps/Nfc with 1 change(s)
    • 9bbbd08 : Add READ_EXTERNAL_STORAGE for file based Uri while beaming.

  • platform/packages/apps/Settings with 4 change(s)
    • 93f24e3 : Disabling the activate button when paused
    • 2a69b3f : Back-port ag/2491664
    • 179f0e9 : Fix phishing attack in ChooseLockGeneric
    • 4af8f91 : resolve merge conflicts of 3964c51bf2 to nyc-dev

  • platform/system/bt with 10 change(s)
    • 87b81e5 : Read the correct amount of attributes
    • e6560ee : SDP: Bounds check 'id' parameter for free_sdp_slot()
    • ab5561e : Add missing extension length check while parsing BNEP control packets
    • e0a8ce0 : Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
    • 097b33e : Add a missing check for PAN buffer size before copying data
    • e6fbaef : Add missing packet length checks while parsing BNEP control packets
    • c25c78c : Add missing continuation offset check for SDP continuation requests
    • 563eb21 : Disable PAN Reverse Tethering when connection originated by the Remote
    • 23de612 : Allocate buffers of the right size when BT_HDR is included
    • 2bcdf8e : Check LE advertising data length before caching advertising records

  • platform/system/core with 3 change(s)
    • 219a8ee : zip_archive: reject files that don't start with an LFH signature.
    • b0998ba : Fix integer overflow in utf{16,32}_to_utf8_length
    • 3d6a431 : Fix out of bound read in libziparchive

  • platform/system/sepolicy with 1 change(s)
    • 9ad6714 : system_server: replace sys_resource with sys_ptrace