Android Nougat AOSP Changes

Changes from 7.1.2_r36 (N2G48H) to 7.1.2_r37 (N2G47J):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Updated Components (55):

  • device/google/dragon with 1 change(s)
    • bcc0fcd : Fix audio record pre-processing

  • platform/art with 1 change(s)
    • 8602eda : Use conservative permissions when creating files in ART

  • platform/bionic with 1 change(s)
    • 8c43445 : linker: remove link from external library on unload

  • platform/build with 1 change(s)
    • 4e0cccc : Specify --max_timestamp when calling brillo_update_payload.

  • platform/external/aac with 1 change(s)
    • 4b3541a : Fix out of bound memory access in lppTransposer

  • platform/external/boringssl with 1 change(s)

  • platform/external/bouncycastle with 1 change(s)
    • 5e2f817 : Fix probable prime confidence calculations.

  • platform/external/chromium-libpac with 1 change(s)
    • fd7023b : Test for error in handling getters changing element kind.

  • platform/external/curl with 1 change(s)
    • 9ce6d75 : Disable unused protocols.

  • platform/external/dng_sdk with 1 change(s)
    • 25de639 : Throw exception on integer overflow in dng_ifd.cpp.

  • platform/external/dnsmasq with 2 change(s)
    • 3576bc5 : Add extra (size_t) cast to avoid compiler warning.
    • a365ed1 : Make dnsmasq more stable.

  • platform/external/e2fsprogs with 1 change(s)
    • 45c5d4e : Ignore quotes in safe_print().

  • platform/external/libavc with 38 change(s)
    • 7dd54e1 : Decoder: Delete node from st if lt and st point to same
    • df6262d : decoder: Signal IVD_RES_CHANGED error for change in crop params
    • be64c27 : Bug fix for flush without valid frames
    • 2a0a0f7 : Decoder: Modify setting short term reference field flag
    • a402834 : Encoder: Return error for odd resolution
    • 208c4ca : Decoder: Set prev slice type for I slice.
    • 531c04d : Decoder: Fixed reset values in parse sps.
    • b208f88 : Decoder: Fixed memory overflow in shared display mode.
    • 9447f10 : Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.
    • 7c2c60f : Decoder: Modified loop condition while parsing ref_list_reordering.
    • c0c88ec : Decoder: Handle dec_hdl memory allocation failure gracefully
    • 76c8620 : Decoder: Detect change of mbaff flag in SPS
    • 07e3891 : Decoder: Increased allocation and added checks in sei parsing.
    • 52e6bb5 : Decoder: Fixed incorrect use of mmco parameters.
    • 90e4739 : Decoder: Fixed hang in the case of dangling field
    • 6af964f : Decoder: Updated error check while parsing num_ref_idx_lx_active.
    • 11801fb : Decoder: Corrected variable datatypes in ih264d_get_implicit_weights.
    • 1a7f81c : Decoder: Conceal picture only if valid picture buffer is obtained.
    • 450368f : Added an out of bound check on u4_num_bufs in input argument
    • 0dcaf2a : Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.
    • 103d52a : Decoder: Fixed overflow in refernce list creation.
    • cd931c2 : Initialize DPB structures to valid values.
    • d67c83b : Added error check for output buffer size.
    • 16db161 : Fixed hang in the case of multiple sps id.
    • dcdb69f : Decoder: Fix in the case of MMCO 6
    • 77cbf29 : Decoder: Cleaned up parse sps function.
    • 373cae1 : Initializing reference list for every P/B slice.
    • 89a85b6 : Fix resolution change within a decode call.
    • c479e0b : Decoder: Fixed allocation size of pred info buffer
    • 1c75e87 : Decoder: Fixes in accessing mbaff flag in error cases
    • f155fcd : Decoder: Fix end of bitstream error.
    • 8ff4369 : Decoder: Fix allocation for Mbaff weight matrix
    • 6b88a30 : Decoder: Initialize MB info buffer to zero.
    • 94e229e : Decoder: Fixed flag u1_top_bottom_decoded.
    • f26ce50 : Decoder: Added an error check while parsing PPS.
    • ead7ee9 : Fix stack buffer overflow in ih264d_process_intra_mb
    • ed412d4 : Decoder: Fix in reference list initialization.
    • e598fd6 : Fix in the case of MMCO 3 (long term reference idx).

  • platform/external/libhevc with 43 change(s)
    • 6761dcf : Add push-pop for Neon D8-D15 registers
    • 99a4946 : Add few more checks for invalid parameters in sps
    • 2742d53 : Add missing return check for short_term_ref_pic_set()
    • b75a1cd : Add bounds check for tile dimensions
    • 5da6ada : Decoder: Signal IVD_RES_CHANGED error for change in crop params
    • 40c1c65 : Add limits check for the CTB position in a frame
    • b355f73 : Return error for invalid st/lt sps parameters
    • dd4e3a9 : Add limits check for depth hierarchy sps parameters
    • 5d17de7 : Return error for invalid sps sub layers parameters
    • 2a21c96 : Return error for invalid reorder parameter
    • 1435550 : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • b17c10a : Fix output buffer size check
    • cfb7511 : Update ctb pu map for I slice
    • af9c12f : Check if luma wd and ht are multiple of min cb size
    • 1481238 : Fix first frame error return
    • b8a4d10 : Add PUSH-POP of D registers in Arm Neon 32 bit functions
    • e0566be : Fixed few issues in SAO arm assemblies
    • ef32e29 : Return error for negative crop parameters
    • 86338d9 : Fix incomplete frame error
    • 0b5def5 : Decoder: Handle ps_codec_obj memory allocation failure gracefully
    • ad5a208 : Fix slice address zero for not first slice in pic
    • cd6c826 : Fix prev slice incomplete check
    • 9260acd : Set error skip ctbs as multiple 8x8 pus
    • 0d222cc : Alloc extra bytes for bits buf for parse optimzation
    • 2133cb1 : Added an out of bound check on u4_num_bufs in input argument
    • 7ebb3a2 : Fix tile index buf alloc size
    • 27839eb : Ensure CTB size 16 for clips with tiles and width/height = 4096
    • 8c87603 : Fix slice decrement for skipped slices
    • 9ebd0ea : Fix array size for hrd parameters
    • b838d85 : Return error for invalid crop parameters
    • 59169ba : Limit boundary PU sizes in case of errors
    • abed679 : Check number of output buffers and sizes
    • 994b14d : Fix OOB issue in nal unit parsing
    • 9cf3786 : Set pic_present at end of pic_init instead of beginning
    • 463bd88 : Handle error return in parse slice
    • 08e7f05 : Fix heap buffer overflow while searching for valid PPS
    • d826928 : Check for buffer overflow in pps/slice header parsing
    • 921772e : memset SPS to zero
    • 75317d5 : Fix reallocation for new sps
    • 52ffaf0 : Check for cpb cnt in hrd parsing
    • dc61de4 : Set current slice ctb x and y to fill prev incomplete slice
    • fe3d477 : Correct Tiles rows and cols check
    • ff073ec : Check only allocated mv bufs for releasing from reference

  • platform/external/libmpeg2 with 26 change(s)
    • 5b097b9 : Add push-pop for Neon D8-D15 registers
    • 3620f2f : Handle Unsupported Dimensions in Test App
    • ae4defc : Adding check for min_width and min_height
    • 5ed3f4f : Adding Check For Number of Skip MBs
    • 50fc578 : Adding Internal Input Buffer
    • 4d214f4 : Fixing Underflow of ps_dec-u2_num_mbs_left
    • ce92efa : Adding Error Check for Output Buffer Size
    • a999ab7 : Correcting Buffer Allocation for Shared Display
    • ac3953a : Adding Error Check for f_code Parameters
    • a2e3591 : Reject Multiple seq_hdr With Different Dimensions
    • be39b72 : Update num_mbs_left When mb_x is Reset.
    • fc762d8 : DoS error - Bitstream Overflow
    • a527260 : Fix Error When Input Buffer is Full
    • bfaa4d9 : Fix Half Pel MC on Last Ref Row
    • f0b6c58 : Check on Picture Dimensions
    • 453e00c : Check Number of MBs to Skip.
    • 86870f2 : Replace memcpy with memmove to Solve Memory Overlap Error
    • 61069dc : Propagating Error From impeg2d_pre_pic_dec_proc
    • 9d768ed : Fixed Memory Overflow Errors
    • 65de765 : Correcting NumCoeff Check in VLD
    • bb5dd82 : Adding Error Check For PictureStructure Param
    • 6bb086b : Update mbs_left In Case Of Missing Slice
    • 8e0aaeb : Check For Zero Width/Height in Frame Header
    • 8b058e1 : Check Number of Skip MBs
    • 897447c : Error Resilience - Check on as_recent_fld[0][1]
    • 68333d9 : Fix Bytes Consumed Issue

  • platform/external/libnfc-nci with 22 change(s)
    • d234a3f : Fix heap overflow in nfa_rw_store_ndef_rx_buf
    • bc7eb2a : Prevent OOB read in rw_i93_process_sys_info()
    • a0ffb24 : Prevent OOB error in rw_i93_sm_update_ndef()
    • eb79939 : Prevent OOB error in rw_i93_sm_read_ndef()
    • 4c10f21 : Prevent OOB error in rw_i93_sm_detect_ndef()
    • 1eec37e : Prevent integer underflow in rw_t3t_act_handle_check_ndef_rsp()
    • 85ec678 : Prevent integer underflow in rw_t2t_handle_tlv_detect_rsp()
    • 65cc608 : Prevent Out of bounds read in ce_t4t.cc
    • a42fa9f : Prevent OOB read in rw_t3t_act_handle_ndef_detect_rsp()
    • 1036bb8 : Prevent Out of bounds write in rw_t3t_handle_get_sc_poll_rsp()
    • ff1ee60 : Fix heap overflow in NFA_SendRawFrame()
    • fcbdbe1 : Prevent Integer Overflow in rw_t3t_act_handle_check_rsp()
    • 65e1996 : Prevent OOB read in rw_t3t_update_block()
    • f5150a7 : Fix CVE
    • 88486e8 : Prevent Out of bound error in phNxpNciHal_process_ext_rsp
    • 95e3751 : Prevent Out of bound error in llcp_dlc_proc_rr_rnr_pdu()
    • 742c612 : Prevent Out of bounds read/write in nfc_ncif_set_config_status
    • bdbbff5 : Prevent Out of bounds read in llcp_dlc
    • a742980 : Improve AGF PDU integrity check to prevent OOB error
    • adc729e : Prevent OOB error in nfc_ncif_proc_get_routing()
    • 0694333 : Prevent Out of bounds read in llcp_util
    • 2ecd3c6 : Prevent OOB error for T2T read/writes

  • platform/external/libvpx with 4 change(s)
    • 7c5b8ae : Fixes a double free in ContentEncoding
    • 351a1ba : Check there is only one settings per ContentCompression
    • d3e4221 : libwebm: Cherrypick 5a41830 from upstream
    • 7cc5797 : Limit vpx decoder to 4K frames

  • platform/external/libxml2 with 1 change(s)
    • 2029791 : RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

  • platform/external/neven with 1 change(s)
    • 3c3b10d : Make bound check proper in bbf_Scanner_addOutPos

  • platform/external/sfntly with 1 change(s)
    • 8b698fd : Fix uninitialized value in sfntly

  • platform/external/skia with 4 change(s)
    • a2b2626 : RESTRICT AUTOMERGE: Fix heap buffer overflow
    • 64c422e : RESTRICT AUTOMERGE: Add SkAndroidFrameworkUtils::SafetyNetLog
    • f410a3a : RESTRICT AUTOMERGE: Cherry-pick "begin cleanup of malloc porting layer"
    • e74f53e : Fix SkFILEStream.

  • platform/external/sonivox with 10 change(s)
    • 1ff0e3a : sonivox: prevent rejection of good but large MIDI files
    • e5bf6ce : sonivox: prevent infinite loop in OTA ringtones
    • fb5c207 : Revert "sonivox: prevent infinite loop in OTA ringtones"
    • a6e7d26 : sonivox: prevent infinite loop in OTA ringtones
    • 5c6774b : sonivox: fix hang caused by bad meta-event
    • dafaa31 : Add recursion limit to XMF_ReadNode
    • 835e4ed : Fix memory leak
    • 2b74793 : Fix interpolator
    • c7c1706 : Fix infinite recursion
    • 88e6a60 : Check chunk size

  • platform/external/sqlite with 1 change(s)
    • a531a91 : RESTRICT AUTOMERGE: Apply security patch to sqlite 3.9.

  • platform/external/svox with 1 change(s)
    • c3a05c0 : SVOX: Properly initialize buffers.

  • platform/external/tremolo with 5 change(s)
    • 6cfe593 : Add some error/overflow checks in codebook handling
    • 761f0ed : Fix OOB access in Tremolo
    • af09ca1 : Fix out of bounds access in codebook processing
    • 86782bb : Use heap instead of alloca in res012.c
    • 270803d : Always use unsigned char

  • platform/external/v8 with 6 change(s)
    • b9cedc4 : Fix type confusion in libpac
    • 7039731 : [RESTRICT AUTOMERGE] Fix Integer Overflow in libpac
    • 3c7b6b7 : [RESTRICT AUTOMERGE] Fix type confusion in libpac
    • e4dfc7d : [RESTRICT AUTOMERGE] Fix OOB Access in libpac
    • f2aa131 : Fix OOB read in libpac ast-numbering.cc
    • 532a048 : Fix type confusion in libpac

  • platform/external/wpa_supplicant_8 with 11 change(s)
    • 0e7e410 : [wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376
    • 731c44e : Use BoringSSL to get random bytes
    • cdee39d : WNM: Fix WNM-Sleep Mode Request bounds checking
    • 3f12922 : TDLS: Reject TPK-TK reconfiguration
    • 7923942 : Fix PTK rekeying to generate a new ANonce
    • 05ef57a : Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
    • ab47a5c : FT: Do not allow multiple Reassociation Response frames
    • 39fe2e9 : WNM: Ignore WNM-Sleep Mode Response without pending request
    • 0fd389f : Prevent installation of an all-zero TK
    • 1e8f923 : hostapd: Avoid key reinstallation in FT handshake
    • 5b6e754 : Prevent reinstallation of an already in-use group key

  • platform/frameworks/av with 85 change(s)
    • bc3a0bf : httplive: detect oom if playlist is infinite
    • 88f7f05 : Fix overflow/dos in 3gg text description parsing
    • 378b82f : Remove unused AVIExtractor source
    • 9de7ed8 : NuPlayerCCDecoder: fix memory OOB
    • e542ee3 : audio: ensure effect chain with specific session id is unique
    • 15390be : AudioFlinger: Prevent multiple effect chains with same sessionId
    • 94ab21d : Reserve enough space for RTSP CSD
    • cd86c8f : CTS error while media dump()
    • fca128a : MediaExtractor: stop rendering when an error occurs
    • 0fb71c8 : Check for overflow of crypto size
    • 7e4fe1d : Revert "MediaExtractor: stop rendering when an error occurs"
    • 31f71d4 : M3UParser: handle missing EXT-X-MEDIA URIs
    • 4570e60 : MediaExtractor: stop rendering when an error occurs
    • 28de736 : M3UParser: make url on demand
    • 22cb4cd : Fix possible out of bounds read
    • 8b66a7f : Speed up id3v2 unsynchronization
    • b457c4c : Sanitize effect descriptors for AudioPolicyService binder calls.
    • 2fe026b : Add check preventing div0 issue
    • 2420f99 : Init gain config to prevent uninit leak.
    • ae49140 : better mpeg2 TS elementary stream Access Unit parsing
    • 65fb4b6 : Handle bad bitrate index in mp3dec.
    • d251e1c : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • 64f2c84 : Check NAL size before looking inside
    • fa24f34 : RESTRICT AUTOMERGE Prevent MediaPlayerService::Client's use-after-free
    • 7bb386c : AACExtractor: check bounds during seek
    • ed5b0b0 : httplive: check for malformed EXT-X-STREAM-INF
    • c7850da : Apply input buffer validation also to AVC and MPEG4 encoders
    • cd88b31 : IAudioPolicyService: Add attribute tags sanitization
    • a2aa5f5 : Soundtrigger service: fix status reporting in loadSoundModel
    • 3020ea9 : Access AVCDEC context after create fail check
    • be333ad : stagefright: MP4Extractor: allow 10% overhead on default sample size
    • e0d71c5 : Validate decryption key length to decrypt function.
    • 46dc302 : Fix the UAF bug caused by a dead stack variable
    • c237f31 : Add EFFECT_CMD_SET_PARAM parameter checking to Preset Reverb
    • 1ed28f6 : RESTRICT AUTOMERGE Protect against possible race conditions
    • 83d8911 : SoftAVCDec: Handle zero length input without EOS
    • 96aa808 : Access HEVC context after create fail check
    • ded4114 : Fix edge case when applying id3 unsynchronization
    • 81a9bbf : Fix information disclosure in mediadrmserver
    • 5e17c5d : Soundtrigger service: fix cross deadlock with audio policy service
    • ce5e605 : IMediaExtractor: ensure users to check returned value by getTrack.
    • b8d9b60 : Fix issues with extractor dumpsys
    • 78a04ad : OMXNodeInstance: use a lock in freeNode
    • a4818f9 : m4v_h263: fix global buffer overflow
    • 8554f4b : AudioPolicyService: Acquire mutex for SoundTriggerSession
    • 0cea824 : Revert "Fix memory leaks"
    • e8d9822 : Revert "AudioPolicyService: Acquire mutex for SoundTriggerSession"
    • 7a5273a : media: Fix a typo in parsing nclc atom.
    • 1901efb : nuplayer: handle error from MediaCodec in Decoder handleAnOutputBuffer
    • b25f53a : Track graphic buffer mode in OMXNodeInstance
    • ecacaac : Block allocateBufferWithBackup in secure native handle mode
    • 4cfb2d1 : Fix memory leaks
    • 935e482 : EffectBundle: Check parameter and value size
    • 5c74ff5 : AudioPolicyService: Acquire mutex for SoundTriggerSession
    • e7677c6 : Check buffer size in useBuffer in software components
    • 3d939a9 : stagefright: avoid buffer overflow in base64 decoder
    • ef2dcdd : Add EFFECT_CMD_SET_PARAM parameter checking to Downmix and Reverb
    • bb7595a : Fix 'potential memory leak' compiler warning.
    • 94defc3 : Fix memory leak in OggExtractor
    • 6094f32 : Skip track if verification fails
    • acf115e : MPEG4Source: fix fragmented read.
    • c8dd5e8 : MediaPlayerService: fix access of mPlayer in client
    • ab9cf54 : audio effects: filter reserved effect commands
    • 875fc6c : stagefright: fix crash due to bad timestamp index
    • 3dbe411 : stagefright: check aac_frame_length to prevent infinite loop
    • f7adc65 : MPEG4Extractor: ensure returned status is checked.
    • db8e208 : Change MPEG2 reinit Error Handling
    • 95c9494 : Track: Check buffer size of static tracks
    • cb5f237 : Notify Errors Appropriately from SoftMPEG2
    • 73d844a : AudioFlinger: Fix memory allocation for client-less tracks
    • abef9dd : MPEG4Extractor: check size for yrrc box
    • a860ec1 : EffectBundle: Check value size for get preset name
    • 24abd3b : Fix TOCTOU problem in libstagefright_soft_aacenc
    • 4a4bd9f : Fix security vulnerability: Equalizer setParameter memory overflow
    • f43f70b : RESTRICT AUTOMERGE Check the buffer index from acquireBuffer
    • 09aa90d : better manage buffer for libstagefright_soft_mpeg4enc
    • 5a69f16 : m4v_h263: update width/height only when they are valid.
    • 2d0edba : m4v_h263: check header first before decoding a frame.
    • af21524 : Fix integer overflow in mediadrmserver
    • 036238e : Fix potential leak
    • 0026c8e : Modifying MetaData invalidates previous char*
    • 3009152 : Fix memory leak in error case
    • 1c26c89 : Limit ogg packet size
    • 0273287 : Prevent OOB write in soft_avc encoder
    • 32561db : Don't allow using or allocating a buffer after the first state transition

  • platform/frameworks/base with 56 change(s)
    • 114df46 : Clear the Parcel before writing an exception during a transaction
    • fa73d34 : Protect VPN dialogs against overlay.
    • b791b8a : [RESTRICT AUTOMERGE] Make Lock task default behaviour consistent with Settings.
    • dac70b3 : SUPL ES Extension - June 2019 rollup
    • 7d3e3b1 : Limit IsSeparateProfileChallengeAllowed to system callers
    • 530518d : [RESTRICT AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
    • 2599f36 : [RESTRICT AUTOMERGE] Added missing permission check to isPackageDeviceAdminOnAnyUser.
    • 2e41047 : Permission Check For DPM.getPermittedAccessibilityServices
    • f333b95 : Revert "Adding SUPL NI Emergency Extension Time"
    • b6685b3 : Select only preinstalled Spell Checker Services
    • 6ad3c58 : RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
    • 1f6d71f : Adding SUPL NI Emergency Extension Time
    • 25d258f : RESTRICT AUTOMERGE: Recover shady content:// paths.
    • d4006b2 : RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.
    • 6eea4a7 : Verify number of Map entries written to Parcel
    • ee1a0f0 : Fix crash during cursor moving on BiDi text
    • 3d7caf5 : [automerger] Optimise the hit test algorithm am: 71ecf5bd5c am: 42eaa8f932 am: a72cb45f89 am: f5d69aa775
    • 37750eb : Fix TrackInfo parcel write
    • 85d07d2 : Resolve inconsistent parcel read in NanoAppFilter
    • 9a237ac : RESTRICT AUTOMERGE: Prevent shortcut info package name spoofing
    • f9c6610 : Revert "Optimise the hit test algorithm"
    • d33e25e : Fix DynamicRefTable::load security bug
    • a8faaef : ResStringPool: Prevenet boot loop from se fix
    • 9dceb02 : Optimise the hit test algorithm
    • 15f91bd : Make safe label more safe
    • 5797ff6 : clearCallingIdentity before calling into getPackageUidAsUser
    • a9d5e50 : Nullcheck to fix Autofill CTS
    • c9960f0 : RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to nyc-dev)
    • 2c36d0c : ResStringPool: Fix security vulnerability
    • 13f2367 : Rework thumbnail cleanup
    • 14aa0fa : Fixed Security Vulnerability of DcParamObject
    • 941a160 : Verify last array's length in readFromParcel
    • 569924d : Update internal ViewPager's SavedState to match Support Library version
    • 66c5ede : Fix VerifyCredentialResponse parcelling code
    • a56a6bf : [RTT] ParcelableRttResults parcel code fix
    • e8807a2 : Adjust URI host parsing to stop on \ character.
    • 69438cd : Check for null-terminator in ResStringPool::string8At
    • 14809e6 : Adjust Uri host parsing to use last instead of first @.
    • 94079d2 : mtp: fix double free of thumbnail data
    • 2878388 : Use calling user ID when calling isDeviceLocked
    • 3432c29 : Fix ClipboardService device lock check for cross profile
    • 12b0a09 : Prevent getting data from Clipboard if device is locked
    • 372ffd0 : Stop explicitly using kCallerPasses_Ownership
    • a7e0b29 : Revert "Prevent getting data from Clipboard if device is locked"
    • a0e8536 : Revert "Fix ClipboardService device lock check for cross profile"
    • fe293bb : Fix ClipboardService device lock check for cross profile
    • be9c779 : Prevent getting data from Clipboard if device is locked
    • ab5b9c1 : DPC should not be allowed to grant development permission
    • d9b13fd : Clearing up invalid entries when SyncStorageEngine starts
    • 90c9728 : Enforce policy for camera gesture in keyguard
    • dcb83b3 : Fix security hole in GateKeeperResponse.
    • 3fa9fd9 : Back-port fixes for b/62196835
    • aa292fd : Close connection before retrying
    • 338fb41 : ZygoteInit: Remove CAP_SYS_RESOURCE
    • 86611ce : system_server: add CAP_SYS_PTRACE
    • 3725e46 : Make a11y node info parceling more robust

  • platform/frameworks/ex with 2 change(s)
    • f844ba9 : Add bounds checking for transparency lookup
    • 949dc4c : Skip composition of frames lacking a color map

  • platform/frameworks/native with 10 change(s)
    • 3fe6770 : [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets.
    • 0491ab2 : libbinder: readCString: no ubsan sub-overflow
    • d391243 : Sanitize InputMessage before sending
    • ef9ecf5 : Increment when attempting to read protected Parcel Data
    • 3be54ae : Don't pad before calling writeInPlace().
    • 05d2be8 : Disallow reading object data from Parcels with non-object reads
    • 0d4a6e4 : fix race condition that can cause a use after free
    • 82a4d7c : libgui: check for invalid slot in attachBuffer
    • 557879e : libgui: Check slot received from IGBP in Surface
    • 85c7095 : ui: Fix bad size check in Fence::unflatten

  • platform/frameworks/opt/net/wifi with 2 change(s)
    • 84ce1ac : RESTRICT AUTOMERGE: WifiServiceImpl: fix and add tethering checks
    • 0dd681f : cherry-pick: wifinative jni: check array length for trackSignificantWifiChange

  • platform/frameworks/opt/telephony with 1 change(s)
    • 6e8f897 : Fixed invalid pdu issue

  • platform/hardware/qcom/audio with 2 change(s)
    • d4af6ed : Equalizer: Check value size for get preset name
    • 516c0cd : Fix security vulnerability: Equalizer setParameter memory overflow

  • platform/libcore with 7 change(s)
    • df1dba3 : Fix hostname parsing in java.net.URLStreamHandler.
    • f96428a : Fix failing FileTest#test_canonicalCachesAreOff()
    • 97954f2 : Disable File.getCanonicalPath caches.
    • 2a1816e : Proper fix for rejecting ftp URL with /r/n.
    • 1f56d42 : Revert "Reject ftp URLConnection containing /r/n in user info."
    • 2757235 : Reject ftp URLConnection containing /r/n in user info.
    • 3305ffb : Test for rejection of ftp URL with /r/n in userinfo

  • platform/packages/apps/Bluetooth with 3 change(s)
    • 6ac5aea : Make sure server response doesn't exceed maximum allowable length
    • c8718ff : OPP: Restrict file based URI access to external storage
    • 3c9d358 : Prevent OPP from opening files that aren't sent over Bluetooth

  • platform/packages/apps/Contacts with 1 change(s)
    • d7c2172 : Patch URI vulnerability in contact photo editing

  • platform/packages/apps/Email with 3 change(s)
    • a9802e6 : AOSP/Email - bug fix: do not allow composing message with hidden private data attachments.
    • c306585 : AOSP/Email - Second part of the Security Vulnerability fix - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • 2a88b65 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/apps/Messaging with 2 change(s)
    • 2e6c77a : Messaging ignores file URIs shared via intent
    • 634904d : 37742976 - Catch bad gifs

  • platform/packages/apps/Nfc with 2 change(s)
    • 8a866b1 : Prevent OOB write in phFriNfc_ExtnsTransceive
    • cf17d37 : Add READ_EXTERNAL_STORAGE for file based Uri while beaming.

  • platform/packages/apps/PackageInstaller with 1 change(s)
    • 918fb69 : RESTRICT AUTOMERGE: Always use safe labels

  • platform/packages/apps/Settings with 9 change(s)
    • 73067cf : [RESTRICT AUTOMERGE] Make ScreenPinningSettings behaviour consistent with lock tasks.
    • 96e9f30 : Do not allow draw on top for App notification settings
    • cc8f8c0 : Do not allow draw on top for default sms picker.
    • cb7d427 : Reword bluetooth confirmation dialog
    • 6b84d76 : Set device credential's Window flag to be SECURE.
    • 6f3ea1a : Disabling the activate button when paused
    • f9ec7fc : Back-port ag/2491664
    • c727550 : Fix phishing attack in ChooseLockGeneric
    • af50c7d : resolve merge conflicts of 3964c51bf2 to nyc-dev

  • platform/packages/apps/UnifiedEmail with 4 change(s)
    • a737892 : AOSP/UnifiedEmail - bug fix to composing messages.
    • 6cc34e7 : AOSP/Email - Fixed - Security Vulnerability - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • f947635 : Filter Attachment file name of forward slashes for .eml attachments.
    • 87b5a1c : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • baa1325 : Remove "public" download feature.

  • platform/packages/providers/MediaProvider with 1 change(s)
    • 855813c : Rework thumbnail cleanup

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • 74e6bb1 : Check access to user and password fields in APN db

  • platform/packages/providers/UserDictionaryProvider with 1 change(s)
    • d455ec5 : Check caller before accessing database

  • platform/packages/services/Telecomm with 1 change(s)
    • a92b270 : Add flag to default dialer change dialog

  • platform/system/bt with 30 change(s)
    • 4a71fca : Fix buffer overflow in btif_dm_data_copy
    • 9f9bbcf : Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
    • 7147c33 : Fix possible OOB read in process_service_search_rsp
    • 70b6399 : Checks the SMP length to fix OOB read
    • 9c379f4 : Fix copy length calculation in sdp_copy_raw_data
    • 8efc86e : Don't use Address after it was deleted
    • 84cf108 : Add packet length checks in l2cble_process_sig_cmd
    • 0c0435b : SDP: return error on offset bigger than atribute length
    • 9ee2c32 : Add checks whether the AVDTP element data length is valid
    • b15ae8d : BNEP: Fix OOB access in bnep_data_ind
    • afa795e : Decrease length after reading from array in process_service_attr_req
    • f77d073 : GATT: Handle too short Error Response PDU
    • cf09e21 : Add PDU size checks in process_service_search_attr_rsp
    • 2d05b8d : RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
    • 0069d85 : RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
    • 7e1b22f : PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
    • 69ea631 : BNEP: Check received frame type
    • 9dbc614 : SDP: Pass the bounds to process_service_*_rsp
    • 36cefa8 : Allocate/free the SDP connection timers only during stack startup/shutdown
    • 2571ae8 : Removed alarm callback execution statistics
    • ae69f55 : Read the correct amount of attributes
    • 8496cf1 : SDP: Bounds check 'id' parameter for free_sdp_slot()
    • 42dc9df : Add missing extension length check while parsing BNEP control packets
    • 83faf6a : Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
    • 7d368a6 : Add a missing check for PAN buffer size before copying data
    • 87416af : Disable PAN Reverse Tethering when connection originated by the Remote
    • cdefa50 : Allocate buffers of the right size when BT_HDR is included
    • 6c8432e : Add missing packet length checks while parsing BNEP control packets
    • ae95903 : Add missing continuation offset check for SDP continuation requests
    • e6e5e7f : Check LE advertising data length before caching advertising records

  • platform/system/core with 5 change(s)
    • e86fe1d : String16: remove integer overflows
    • 2e55ec2 : libnetutil: Check dhcp respose packet length
    • 9a0048e : zip_archive: reject files that don't start with an LFH signature.
    • 92c2381 : Fix integer overflow in utf{16,32}_to_utf8_length
    • 708e029 : Fix out of bound read in libziparchive

  • platform/system/gatekeeper with 1 change(s)
    • 9c0be39 : Remove potential double free

  • platform/system/media with 2 change(s)
    • e42fd08 : Camera: Initialize metadata padding field
    • 1d9f881 : Camera metadata: Check source metadata size

  • platform/system/sepolicy with 1 change(s)
    • a851c17 : system_server: replace sys_resource with sys_ptrace

  • platform/system/update_engine with 2 change(s)
    • 53d78e2 : Add SafetyNet logging for payload timestamp error.
    • 97e1b73 : Add maximum timestamp to the payload.

  • platform/system/vold with 1 change(s)
    • f337373 : Require quotes when searching for blkid keys.