Android Oreo AOSP Changes

Changes from 8.0.0_r36 (OPR5.170623.014) to 8.0.0_r37 (OC):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (1):

Updated Components (59):

  • device/google/dragon with 1 change(s)
    • 4899bec : Fix audio record pre-processing

  • platform/build with 4 change(s)
    • 34b33de : Change build id to OC
    • f230877 : Specify --max_timestamp when calling brillo_update_payload.
    • ec4fe4f : Update platform security string to 2017-10-01 in oc-dev Bug:64896113
    • 4a3d5d1 : Updating Security String to 2017-09-01 Bug:63846344

  • platform/cts with 34 change(s)
    • d4f3286 : Recover shady content:// paths.
    • 9378cde : Verify a Map size mismatch in Parcel#writeMapInternal causes an exception
    • 7c3a8a8 : test if b/65484460 is fixed.
    • 1074120 : Backport CTS for [Prevent shortcut info package name spoofing]
    • dad207f : RESTRICT AUTOMERGE: CTS: Verify DynamicRefTable::load security fix
    • d259ae4 : RESTRICT AUTOMERGE: Make CTS test testQuery more flexible
    • c3b330d : Fixed ContentProviderCursorWindowTest
    • 299e925 : Rename testStagefright_b72165027 to meet naming standards
    • 1d02b73 : [RESTRICT AUTOMERGE] Use older "cancel" API for compat with AOSP.
    • 7e3709c : RESTRICT AUTOMERGE: CTS: Created ResStringPool security tests
    • cc63e8e : sonivox: fix hang caused by bad meta-event (cts)
    • 6a36804 : Added autofill test to check apps cannot bypass package name on AssistStructure
    • 647eb69 : CTS for presence of avc fix for b/70897454
    • 6575fa7 : Add CTS test for URI fix.
    • 9c0602a : CTS additions for b/72165027
    • a203d15 : CTS tests for b/70897394
    • 91352ad : ResourcesTest should handle recursive drawable throwing NotFoundException Bug: 67462465 Bug: 66498711 Test: test succeeds $ runtest --path=cts/tests/tests/content/src/android/content/res/cts/ResourcesTest.java ... android.content.res.cts.ResourcesTest:....................................................
    • 7dc035e : Camera: Add test for OutputConfiguration parcelling
    • e790279 : Add CTS test to verify that overlays cannot be installed
    • 5b030b0 : Test for bug 69478425
    • d0bdc7e : Add CTS test for bug 65483665
    • 5810327 : Add EffectBundleTest
    • 9b596eb : Add EffectBundleTest
    • 19cbeef : Add CTS test for URI fix.
    • 1b202fd : Verify b/67737022 fix presence
    • 30caf20 : resolve merge conflicts of 4e1d862763 to mnc-dev
    • 1a92f15 : Add new test type to StagefrightTest
    • 86f1892 : Test that createBitmap(65535,65535) throws OOME
    • 0b6b467 : Add CTS test for cve_2017_0852_b_62815506
    • 52c2c68 : CTS test for fix of b/65717533
    • 530e31a : cts: ensure AAudio MMAP cannot be turned on by app
    • 0fe0f2b : Assert that PM requires APK to start with ZIP LFH
    • d3bb1a7 : Add a test for invalid webp file
    • ba18630 : Move test case to StagefrightTest

  • platform/external/aac with 2 change(s)
    • 9158bbc : Prevent out of bounds accesses in lppTransposer()
    • f73ea1a : Fix out of bound memory access in lppTransposer

  • platform/external/bouncycastle with 1 change(s)
    • 0f11f57 : Fix probable prime confidence calculations.

  • platform/external/chromium-libpac with 1 change(s)
    • 0c23ac0 : Test for error in handling getters changing element kind.

  • platform/external/curl with 1 change(s)
    • 79cd330 : Disable unused protocols.

  • platform/external/dnsmasq with 2 change(s)
    • 514618c : Add extra (size_t) cast to avoid compiler warning.
    • ddc09a7 : Make dnsmasq more stable.

  • platform/external/e2fsprogs with 1 change(s)
    • e1af0f3 : Ignore quotes in safe_print().

  • platform/external/libavc with 21 change(s)
    • 1c47196 : Decoder: Delete node from st if lt and st point to same
    • 6b24953 : decoder: Signal IVD_RES_CHANGED error for change in crop params
    • d10325e : Decoder: Modify setting short term reference field flag
    • 9050213 : Encoder: Return error for odd resolution
    • 3d2e74a : Decoder: Set prev slice type for I slice.
    • cab68f2 : Decoder: Fixed reset values in parse sps.
    • 4529228 : Decoder: Fixed memory overflow in shared display mode.
    • 1127dea : Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.
    • f57f73d : Decoder: Modified loop condition while parsing ref_list_reordering.
    • ed709e7 : Decoder: Handle dec_hdl memory allocation failure gracefully
    • 8ff33cd : Decoder: Detect change of mbaff flag in SPS
    • 87cd923 : Decoder: Increased allocation and added checks in sei parsing.
    • 8090346 : Decoder: Fixed incorrect use of mmco parameters.
    • c68ba5c : Decoder: Fixed hang in the case of dangling field
    • f06beb1 : Decoder: Updated error check while parsing num_ref_idx_lx_active.
    • 693c9a7 : Decoder: Corrected variable datatypes in ih264d_get_implicit_weights.
    • 1dbb6dd : Decoder: Conceal picture only if valid picture buffer is obtained.
    • 5be23b9 : Added an out of bound check on u4_num_bufs in input argument
    • cca7b32 : Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.
    • b971b5c : Decoder: Fixed overflow in refernce list creation.
    • 18f958d : Initialize DPB structures to valid values.

  • platform/external/libhevc with 33 change(s)
    • 9b35a26 : Add push-pop for Neon D8-D15 registers
    • d3e784e : Add few more checks for invalid parameters in sps
    • 760d28c : Add missing return check for short_term_ref_pic_set()
    • f22f987 : Add bounds check for tile dimensions
    • 0ecca26 : Decoder: Signal IVD_RES_CHANGED error for change in crop params
    • cccdf55 : Add limits check for the CTB position in a frame
    • d450bd8 : Fix overflow in sei user data parsing
    • 3226a37 : Return error for invalid st/lt sps parameters
    • 3469e55 : Add limits check for depth hierarchy sps parameters
    • 33e9d79 : Return error for invalid sps sub layers parameters
    • 79fb6df : Return error for invalid reorder parameter
    • 13b8ec2 : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • cb7dec8 : Fix output buffer size check
    • d7279af : Update ctb pu map for I slice
    • d7ba51e : Check if luma wd and ht are multiple of min cb size
    • 52b787f : Fix first frame error return
    • 1a274bc : Add PUSH-POP of D registers in Arm Neon 32 bit functions
    • 8a16f97 : Return error for negative crop parameters
    • f82b68a : Fix incomplete frame error
    • ce9b8b2 : Decoder: Handle ps_codec_obj memory allocation failure gracefully
    • fb4ca01 : Fix slice address zero for not first slice in pic
    • f7808e9 : Fix prev slice incomplete check
    • 9258438 : Consume bytes for sps with unsupported resolution
    • dfd6530 : Set error skip ctbs as multiple 8x8 pus
    • 9ba1605 : Alloc extra bytes for bits buf for parse optimzation
    • 62d0f91 : Fix overflow in sei timing params
    • fbe0a07 : Fix reallocation for new sps
    • 4a0ef29 : Added an out of bound check on u4_num_bufs in input argument
    • d286a22 : Fix tile index buf alloc size
    • 33eb18a : Ensure CTB size 16 for clips with tiles and width/height = 4096
    • 29a0111 : Fix slice decrement for skipped slices
    • 41f356a : Fix array size for hrd parameters
    • d0761e2 : Limit boundary PU sizes in case of errors

  • platform/external/libmpeg2 with 19 change(s)
    • da285b4 : Add push-pop for Neon D8-D15 registers
    • 6b51935 : Handle Unsupported Dimensions in Test App
    • f27d789 : Adding check for min_width and min_height
    • 331dde9 : Adding Check For Number of Skip MBs
    • d2182a2 : Adding Internal Input Buffer
    • 394a897 : Fixing Underflow of ps_dec-u2_num_mbs_left
    • 23cd2da : Adding Error Check for Output Buffer Size
    • 5a017a1 : Correcting Buffer Allocation for Shared Display
    • 94f08f7 : Adding Error Check for f_code Parameters
    • dfa072b : Reject Multiple seq_hdr With Different Dimensions
    • 18384c3 : Update num_mbs_left When mb_x is Reset.
    • afaa202 : DoS error - Bitstream Overflow
    • c309cf0 : Fix Error When Input Buffer is Full
    • 2ccb60c : Fix Half Pel MC on Last Ref Row
    • bf26b24 : Check on Picture Dimensions
    • 08d1714 : Check Number of MBs to Skip.
    • 67085f9 : Replace memcpy with memmove to Solve Memory Overlap Error
    • 44d6813 : Propagating Error From impeg2d_pre_pic_dec_proc
    • eb75d83 : Fixed Memory Overflow Errors

  • platform/external/libvpx with 3 change(s)
    • 7387971 : Fixes a double free in ContentEncoding
    • 0c0fdde : Check there is only one settings per ContentCompression
    • 3c6bea7 : libwebm: Cherrypick 5a41830 from upstream

  • platform/external/libxml2 with 1 change(s)
    • 9a41394 : RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

  • platform/external/mdnsresponder with 1 change(s)

  • platform/external/neven with 1 change(s)
    • ae0bc4b : Make bound check proper in bbf_Scanner_addOutPos

  • platform/external/sfntly with 1 change(s)
    • 79af25f : Fix uninitialized value in sfntly

  • platform/external/skia with 5 change(s)
    • a923def : RESTRICT AUTOMERGE: Fix bug decoding JCS_RGB jpeg files
    • 5fe3f03 : RESTRICT AUTOMERGE: Fix heap buffer overflow
    • f3637be : RESTRICT AUTOMERGE: Add SkAndroidFrameworkUtils::SafetyNetLog
    • 4eb0968 : Cherry-pick "begin cleanup of malloc porting layer"
    • 60e2b1e : Fix truncated webp images

  • platform/external/sonivox with 7 change(s)
    • b55c6f1 : sonivox: prevent rejection of good but large MIDI files
    • 3d3d99c : sonivox: prevent infinite loop in OTA ringtones
    • 2029e3f : Revert "sonivox: prevent infinite loop in OTA ringtones"
    • 41ad58b : sonivox: prevent infinite loop in OTA ringtones
    • 2168220 : sonivox: fix hang caused by bad meta-event
    • abc33f8 : Add recursion limit to XMF_ReadNode
    • 110b1ba : Fix memory leak

  • platform/external/sqlite with 1 change(s)
    • 4fc57d8 : Apply security patch to sqlite 3.18.

  • platform/external/svox with 1 change(s)
    • a55b401 : SVOX: Properly initialize buffers.

  • platform/external/tremolo with 4 change(s)
    • 4208c9d : Add some error/overflow checks in codebook handling
    • edac026 : Fix OOB access in Tremolo
    • f49bca9 : Fix out of bounds access in codebook processing
    • 209b2e0 : Use heap instead of alloca in res012.c

  • platform/external/v8 with 5 change(s)
    • 3413d52 : Fix type confusion in libpac
    • 59054ef : [RESTRICT AUTOMERGE] Fix Integer Overflow in libpac
    • f64d7dc : Fix OOB read in libpac ast-numbering.cc
    • edfc8c9 : Fix type confusion in libpac
    • de4fa75 : Backport: Fix Object.entries/values with changing elements

  • platform/external/wpa_supplicant_8 with 11 change(s)
    • 99c44ad : [wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376
    • 7656d8c : Use BoringSSL to get random bytes
    • dda3b47 : WNM: Fix WNM-Sleep Mode Request bounds checking
    • 94a7801 : TDLS: Reject TPK-TK reconfiguration
    • 65ad7c5 : Fix PTK rekeying to generate a new ANonce
    • 86cc82e : Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
    • ae115af : FT: Do not allow multiple Reassociation Response frames
    • 5af1d82 : WNM: Ignore WNM-Sleep Mode Response without pending request
    • 1273f61 : Prevent installation of an all-zero TK
    • 10264d2 : hostapd: Avoid key reinstallation in FT handshake
    • efae28e : Prevent reinstallation of an already in-use group key

  • platform/frameworks/av with 71 change(s)
    • ef98afa : httplive: detect oom if playlist is infinite
    • e974f44 : Fix overflow/dos in 3gg text description parsing
    • c5705cc : Zero-initialize HIDL structs before passing
    • 0a037d6 : Remove unused AVIExtractor source
    • 3b56953 : NuPlayerCCDecoder: fix memory OOB
    • 569aab0 : audio: ensure effect chain with specific session id is unique
    • d3d392f : AudioFlinger: Prevent multiple effect chains with same sessionId
    • 3c93d7f : Reserve enough space for RTSP CSD
    • 62bfb5d : AudioFlinger: put effect desc lookup under mutex for createEffect
    • d431ed3 : CTS error while media dump()
    • e485221 : MediaExtractor: stop rendering when an error occurs
    • bb743e0 : Check for overflow of crypto size
    • e1efcaa : Fix information disclosure in mediadrmserver
    • 21e9ba9 : Revert "MediaExtractor: stop rendering when an error occurs"
    • 47127b6 : M3UParser: handle missing EXT-X-MEDIA URIs
    • c4632d8 : Allow kPortModeDynamicANWBuffer for kBufferTypeANWBuffer in useBuffer
    • 6111a39 : MediaExtractor: stop rendering when an error occurs
    • ea7967e : OMXNodeInstance: Allow dynamic native handle mode for input buffers
    • 1c30696 : Fix possible out of bounds read
    • 9ea0102 : M3UParser: make url on demand
    • 782d1fa : omx: restrict useBuffer according to buffer type and port mode
    • 6202ca1 : Fix security vulnerability in CryptoHal
    • 60954f8 : Speed up id3v2 unsynchronization
    • 81b9713 : Sanitize effect descriptors for AudioPolicyService binder calls.
    • 6fae923 : Add check preventing div0 issue
    • acbfe85 : Init gain config to prevent uninit leak.
    • 969c07a : better mpeg2 TS elementary stream Access Unit parsing
    • 43af371 : Handle bad bitrate index in mp3dec.
    • f20bc54 : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • 5a47268 : Check NAL size before looking inside
    • ee4b576 : Refactor MediaPlayerBase's notify
    • ab51c69 : Prevent MediaPlayerService::Client's use-after-free
    • 2c153a1 : Fix use of uninitialized value in libmediadrm
    • 7c8e8d1 : Fix potential buffer overflow in mediadrmserver
    • e2c4a8e : AACExtractor: check bounds during seek
    • 1312613 : httplive: check for malformed EXT-X-STREAM-INF
    • 53fc331 : Apply input buffer validation also to AVC and MPEG4 encoders
    • 9b37cb5 : IAudioPolicyService: Add attribute tags sanitization
    • 3acf785 : Access AVCDEC context after create fail check
    • cf87eb7 : stagefright: MP4Extractor: allow 10% overhead on default sample size
    • e570476 : Validate decryption key length to decrypt function.
    • 74d5699 : Fix the UAF bug caused by a dead stack variable
    • cdcc15f : avoid 32-bit integer overflow
    • e8b2d12 : Add EFFECT_CMD_SET_PARAM parameter checking to Preset Reverb
    • 4f3b2fa : Protect against possible race conditions
    • 2e3aca9 : SoftAVCDec: Handle zero length input without EOS
    • 0159c40 : Access HEVC context after create fail check
    • eaaf0f7 : Fix edge case when applying id3 unsynchronization
    • bcca73c : Fix information disclosure in mediadrmserver
    • ca556b6 : Soundtrigger service: fix cross deadlock with audio policy service
    • 2f128ac : aaudio: disable MMAP mode by not creating AAudioService
    • d70f9d3 : OMXNodeInstance: use a lock around OMX::freeNode
    • 8caf6ff : m4v_h263: fix global buffer overflow
    • f8c8583 : AudioPolicyService: Acquire mutex for SoundTriggerSession
    • e3658a1 : Revert "Fix memory leaks"
    • 5667131 : Revert "AudioPolicyService: Acquire mutex for SoundTriggerSession"
    • 08f20a1 : Put media.metrics service into proper group
    • 289f83f : Track graphic buffer mode in OMXNodeInstance
    • bbd9781 : Fix memory leaks
    • ddb986c : EffectBundle: Check parameter and value size
    • d070c68 : AudioPolicyService: Acquire mutex for SoundTriggerSession
    • c854040 : Check buffer size in useBuffer in software components
    • 51a41ba : stagefright: avoid buffer overflow in base64 decoder
    • e9b17df : Add EFFECT_CMD_SET_PARAM parameter checking to Downmix and Reverb
    • 7622b53 : Fix memory leak in OggExtractor
    • 9c70642 : Skip track if verification fails
    • 5ebfbb4 : MediaPlayerService: fix access of mPlayer in client
    • cfe25ad : audio effects: filter reserved effect commands
    • dea0dbd : stagefright: fix crash due to bad timestamp index
    • f094c85 : stagefright: check aac_frame_length to prevent infinite loop
    • 663ffc8 : Check frame handle validity before freeing buffer.

  • platform/frameworks/base with 68 change(s)
    • b8b11c7 : Clear the Parcel before writing an exception during a transaction
    • 331c07f : Protect VPN dialogs against overlay.
    • 4d62401 : [RESTRICT AUTOMERGE] Make Lock task default consistent w/ Settings (oc).
    • b442b17 : HwBlob: s/malloc/calloc/
    • 4946ff8 : OP_REQUEST_INSTALL_PACKAGES denied by default
    • 048e0ae : SUPL ES Extension - June 2019 rollup
    • dee07f7 : [RESTRICT_AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
    • ebf1d35 : Limit IsSeparateProfileChallengeAllowed to system callers
    • cc70c5e : Added missing permission check to isPackageDeviceAdminOnAnyUser.
    • eb8a4b0 : Permission Check For DPM.getPermittedAccessibilityServices
    • e9dfad0 : Revert "Adding SUPL NI Emergency Extension Time"
    • 9ef32b8 : Select only preinstalled Spell Checker Services
    • ac3b237 : RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
    • 7226be0 : Adding SUPL NI Emergency Extension Time
    • dc7ad17 : Bluetooth: Check descriptors size in BluetoothHidDeviceAppSdpSettings
    • 90cf9d7 : RESTRICT AUTOMERGE: Recover shady content:// paths.
    • 807a7ac : Hide overlay windows when requesting media projection permission.
    • 07f894c : Verify number of Map entries written to Parcel
    • 7fe98aa : Fix crash during cursor moving on BiDi text
    • 3c0c6c0 : Optimise the hit test algorithm
    • dd7baf6 : Fix TrackInfo parcel write
    • 758a28e : Resolve inconsistent parcel read in NanoAppFilter
    • 317d16c : vpn: allow IPSec traffic through Always-on VPN
    • 1e4f397 : Backport Prevent shortcut info package name spoofing
    • 570a397 : Revert "Optimise the hit test algorithm"
    • b87d318 : Fix DynamicRefTable::load security bug
    • c967e42 : ResStringPool: Prevenet boot loop from se fix
    • 0231b21 : Optimise the hit test algorithm
    • 818d032 : WM: Prevent secondary display focus while keyguard is up
    • 5360645 : Make safe label more safe
    • c18765c : clearCallingIdentity before calling into getPackageUidAsUser
    • ba8cfd8 : Nullcheck to fix Autofill CTS
    • 20b02cf : Osu: fixed Mismatch between createFromParcel and writeToParcel
    • 95bfa58 : Fix broken check for TelephonyManager#getForbiddenPlmns
    • 5e3da08 : RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-dev)
    • 10e6fd0 : ResStringPool: Fix security vulnerability
    • d71c10f : Use concrete CREATOR instance for parceling lists
    • 8ef1830 : Proper autofill fix to let phone process autofill Settings activity.
    • eae3c07 : Fixed Security Vulnerability of DcParamObject
    • 96f450c : Verify last array's length in readFromParcel
    • 156e290 : Update internal ViewPager's SavedState to match Support Library version
    • a046afb : Make sure apps cannot forge package name on AssistStructure used for Autofill.
    • 8ff0010 : Fix VerifyCredentialResponse parcelling code
    • 37229f1 : [RTT] ParcelableRttResults parcel code fix
    • 0587e6a : Fix bad type for txPower in PeriodicAdvertisingReport serialization
    • b56f57e : Adjust URI host parsing to stop on \ character.
    • cf0fd11 : AdaptiveIconDrawable should not update layer bounds when bound is empty
    • f193d6a : Check for null-terminator in ResStringPool::string8At
    • 9703505 : RESTRICT AUTOMERGE Preventing recursive referrence in drawables
    • 30c4d8b : OutputConfiguration: Fix missing mIsShared in parcel read
    • aade118 : Wrap StackOverflowError in NotFoundException. Bug: 67462465 Bug: 66498711 Test: builds and tested using faulty apk with recursive drawable. Change-Id: I47691343dae892beb5ed8c1c66c33edefade321e (cherry picked from commit dc92d925d819d2c385c04e49369e8574fa111d14)
    • d4de75a : OMS: Only allow trusted overlays to be registered.
    • 4846420 : Swap the order of synthetic password wrapping
    • f0fd9f6 : Adjust Uri host parsing to use last instead of first @.
    • be2b686 : mtp: fix double free of thumbnail data
    • 410848e : Use calling user ID when calling isDeviceLocked
    • 732e973 : Throw OOME if Bitmap.nativeCreate fails
    • 236116c : Fix ClipboardService device lock check for cross profile
    • 2cbbfc6 : Prevent getting data from Clipboard if device is locked
    • 87d242c : Only construct real Throwable objects.
    • e72940b : Revert "Prevent getting data from Clipboard if device is locked"
    • 6ab2209 : Revert "Fix ClipboardService device lock check for cross profile"
    • e70be3f : Fix ClipboardService device lock check for cross profile
    • f4263a7 : Prevent getting data from Clipboard if device is locked
    • 10685b5 : Backport overlay security fix
    • 9380f05 : DPC should not be allowed to grant development permission
    • b08e086 : Enforce policy for camera gesture in keyguard
    • 04881e2 : Fix security hole in GateKeeperResponse.

  • platform/frameworks/ex with 2 change(s)
    • f94e3df : Add bounds checking for transparency lookup
    • 78297bd : Skip composition of frames lacking a color map

  • platform/frameworks/minikin with 1 change(s)
    • fa20c84 : Fix OOB read due to integer overflow

  • platform/frameworks/native with 9 change(s)
    • 2034c67 : [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets.
    • 16f6479 : libbinder: readCString: no ubsan sub-overflow
    • 67d92f3 : Zero-initialize HIDL structs before passing
    • 4ef7620 : Sanitize InputMessage before sending
    • 3bbeeb8 : Increment when attempting to read protected Parcel Data
    • 59344da : Don't pad before calling writeInPlace().
    • fd6f726 : Disallow reading object data from Parcels with non-object reads
    • 19e43ae : Add bounds check to sensors direct channel creation
    • a5530e8 : surfaceflinger: make vsync injection more robust

  • platform/frameworks/opt/telephony with 1 change(s)
    • 882dd97 : Fixed invalid pdu issue

  • platform/hardware/interfaces with 1 change(s)
    • 8caf734 : Add tests to validate key length for clearkey plugin.

  • platform/libcore with 3 change(s)
    • fe945a5 : Fix hostname parsing in java.net.URLStreamHandler.
    • 860b9d6 : Fix failing FileTest#test_canonicalCachesAreOff()
    • 0f9b36a : Disable File.getCanonicalPath caches.

  • platform/packages/apps/Bluetooth with 1 change(s)
    • 8038dd1 : Make sure server response doesn't exceed maximum allowable length

  • platform/packages/apps/Contacts with 1 change(s)
    • 9845c83 : Patch URI vulnerability in contact photo editing

  • platform/packages/apps/Email with 3 change(s)
    • 4919470 : AOSP/Email - bug fix: do not allow composing message with hidden private data attachments.
    • 4b0218e : AOSP/Email - Second part of the Security Vulnerability fix - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • dbcc03b : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/apps/Messaging with 2 change(s)
    • 59c330d : Messaging ignores file URIs shared via intent
    • a105c5f : 37742976 - Catch bad gifs

  • platform/packages/apps/Nfc with 2 change(s)
    • 8682b1b : Prevent OOB write in Mfc_Transceive
    • 307f279 : Prevent OOB write in phFriNfc_ExtnsTransceive

  • platform/packages/apps/PackageInstaller with 5 change(s)
    • 888a1d7 : [RESTRICT AUTOMERGE]: OP_REQUEST_INSTALL_PACKAGES denied by default
    • f4186c3 : Ask for PIN when granting permissions in front of lock screen
    • 6a58351 : RESTRICT AUTOMERGE: Trust session id only if started with ACTION_CONFIRM_INSTALL
    • 31583c3 : RESTRICT AUTOMERGE: Always use safe labels
    • eff0724 : Backport overlay security fix

  • platform/packages/apps/Settings with 11 change(s)
    • 7070984 : [RESTRICT AUTOMERGE] Make ScreenPinningSettings behaviour consistent with lock tasks.
    • e96945c : Do not allow draw on top for App notification settings
    • 24d9d53 : Treat mode_default as denied for install_unknown_apps
    • 7ac5ee0 : Do not allow draw on top for default sms picker.
    • 4831ee3 : Hide quicksetting tile for dev options when it's turned off
    • 8d753bd : Delete obsolete activity alias for dev settings
    • 29b46e5 : Update the way OMS records details about overlays
    • e0bcbc9 : Reword bluetooth confirmation dialog
    • 888e364 : Fix BluetoothPairingDialogTest to not expect device name
    • 6371631 : Set device credential's Window flag to be SECURE.
    • f0a58c0 : Backport overlay security fix

  • platform/packages/apps/UnifiedEmail with 4 change(s)
    • 72c6669 : AOSP/UnifiedEmail - bug fix to composing messages.
    • c43afbe : AOSP/Email - Fixed - Security Vulnerability - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • bf726f1 : Filter Attachment file name of forward slashes for .eml attachments.
    • 47e5f69 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • 611376e : Remove "public" download feature.

  • platform/packages/providers/MediaProvider with 1 change(s)
    • 4bd213c : Configure Mtp once on boot.

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • 85ceae9 : Check access to user and password fields in APN db

  • platform/packages/providers/UserDictionaryProvider with 1 change(s)
    • 306b9c6 : Check caller before accessing database

  • platform/packages/services/Telecomm with 1 change(s)
    • ab1e8ba : Add flag to default dialer change dialog

  • platform/packages/services/Telephony with 2 change(s)
    • e64fcc2 : Fix potential NPE in EmergencyCallbackModeExitDialog.
    • 535b074 : Fix broken permission check for TelephonyManager#getForbiddenPlmns

  • platform/system/bt with 64 change(s)
    • 02ce5ca : Fix potential OOB read in sdpu_get_len_from_type
    • d2b74ee : btm_proc_smp_cback: Don't access p_dev_rec if freed
    • 46f439a : process_l2cap_cmd: Fix OOB
    • f265dd1 : btm_ble_multi_adv: Check data length in HCI interface
    • 70c5dbf : Add OOB check in avrc_pars_browse_rsp
    • 4dee65a : Fix buffer overflow in btif_dm_data_copy
    • dd41c0f : Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
    • 7e9c072 : Revert "Fix OOB in avrc_pars_browse_rsp"
    • ea267e2 : Fix OOB in avrc_pars_browse_rsp
    • 62a9dec : Fix possible OOB read
    • 339d73b : Check data length when parsing AVRCP vendor specific command responses
    • ba4ea1e : Check remaining frame length in rfc_process_mx_message
    • d753693 : Fix a wrong check in rfc_parse_data
    • d332d3a : Add bound check for rfc_parse_data
    • 6cba2b0 : Add packet length check in smp_proc_master_id
    • cea138c : Checks the SMP length to fix OOB read
    • 625fa1b : Add missing AVRCP message length checks inside avrc_msg_cback
    • 9dcfc76 : Add packet length checks in mca_ccb_hdl_req
    • 338502a : Check packet length in bta_av_proc_meta_cmd
    • 4c073ba : Fix OOB read in avrc_ctrl_pars_vendor_rsp
    • 153be6d : Fix copy length calculation in sdp_copy_raw_data
    • ea01df4 : Don't use Address after it was deleted
    • 3ae8bee : SDP: return error on offset bigger than atribute length
    • d78c0ef : HFP: Fix out of bound access in phone number processing
    • 7c52de0 : HIDD: Prevent integer underflow in bta_hd_act
    • 744a076 : Add packet length checks in l2cble_process_sig_cmd
    • b32331c : HID Host: Check L2CAP packet data length
    • 763024d : Add BT_HDR length check for received AVCTP packets
    • 02abc00 : Add packet length check for received AVCTP packets
    • 3aae136 : Add checks whether the AVDTP element data length is valid
    • 8d2714f : BNEP: Fix OOB access in bnep_data_ind
    • 0b6c218 : Decrease length after reading from array in process_service_attr_req
    • b25d23f : GATT: Handle too short Error Response PDU
    • 5a91e84 : Add PDU size checks in process_service_search_attr_rsp
    • 89c153e : RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
    • d2b8425 : RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
    • 72da995 : Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
    • 87c8f9f : PAN: Always allocate in bta_pan_data_buf_ind_cback
    • 4fa3ab5 : AVRCP: Initialize buffer for attribute values to be written to
    • ada9a70 : AVRCP: Set maximum string length when copying to buffer
    • 868e8fa : AVRCP: Check number of text attribute values in response
    • 9cc70aa : AVRCP: Check number of text attributes in response
    • 0db4435 : AVRCP: Check the number of text value attributes requested
    • 108f867 : SDP: Check p_req_end before reading from p_req
    • 9a72cbc : BNEP: Check received frame type
    • 8477dfb : SDP: Include the offset in sdp_disc_server_rsp
    • e3e469f : Allocate/free the SDP connection timers only during stack startup/shutdown
    • 529fd77 : Fix unexpected behavior in reading BNEP packets
    • 445d6f8 : Remove memory reference to invalid mem in error log
    • 78058d2 : PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
    • 5170599 : AVRCP: Check the number of text attributes requested
    • ae34970 : SDP: Pass the bounds to process_service_*_rsp
    • 34b1102 : Fix unexpected behavior in SDP
    • e59d213 : Removed alarm callback execution statistics
    • 451785d : Fixed the implementation of std::equal_tobt_bdaddr_t
    • 4d12ba5 : Read the correct amount of attributes
    • 37afb36 : SDP: Bounds check 'id' parameter for free_sdp_slot()
    • 84c28b6 : Add missing extension length check while parsing BNEP control packets
    • a26e709 : Free p_pending_data from tBNEP_CONN to avoid potential memory leaks
    • 12d883f : Add missing packet length checks while parsing BNEP control packets
    • af3585a : Add missing continuation offset check for SDP continuation requests
    • 090dde3 : Disable PAN Reverse Tethering when connection originated by the Remote
    • 00a4ad0 : Add a missing check for PAN buffer size before copying data
    • 1e10013 : Allocate buffers of the right size when BT_HDR is included

  • platform/system/connectivity/wificond with 1 change(s)
    • b722d7f : wificond: Mark scanner impl instance invalid

  • platform/system/core with 5 change(s)
    • 627e34d : Export maximum number of fds/ints in a native_handle.
    • b49f89c : String16: remove integer overflows
    • 9ea7646 : libnetutil: Check dhcp respose packet length
    • 6400f2d : zip_archive: reject files that don't start with an LFH signature.
    • bef9023 : Fix integer overflow in utf{16,32}_to_utf8_length

  • platform/system/gatekeeper with 1 change(s)
    • 9aaec40 : Remove potential double free

  • platform/system/hwservicemanager with 2 change(s)
    • 40c9b54 : ACL based on getCallingSid
    • c0eee44 : get selinux context on add call arrival.

  • platform/system/libhidl with 7 change(s)
    • 3dcf302 : Delete vestigial Status parcel read.
    • 6fe2c69 : Zero-initialize hidl_vec data
    • fa8ff64 : Zero-init HIDL core types (all)
    • 69bdbb1 : Add gServiceSidMap.
    • b881fd8 : hidl_memory: fail on transfer if size SIZE_MAX
    • e27e570 : mapMemory: Do not map if size is SIZE_MAX
    • c6620f0 : canCastInterface: always return true for IBase

  • platform/system/libhwbinder with 4 change(s)
    • 09b9d9f : readCString: no ubsan sub-overflow
    • 4090b75 : Rely on compiler to zero out structs.
    • da998e4 : getCallingSid: get calling security context
    • feb2f50 : Deserialize a native_handle safely.

  • platform/system/media with 1 change(s)
    • d29ec57 : Camera metadata: Check source metadata size

  • platform/system/nfc with 23 change(s)
    • cde5a37 : Fix heap overflow in nfa_rw_store_ndef_rx_buf
    • 1f0cb99 : Prevent OOB error in rw_i93_sm_update_ndef()
    • 8005b2f : Prevent OOB error in rw_i93_sm_read_ndef()
    • 1e4a4c4 : Prevent OOB error in rw_i93_sm_detect_ndef()
    • 51de497 : Prevent OOB read in rw_i93_process_sys_info()
    • 350a393 : Prevent integer underflow in rw_t3t_act_handle_check_ndef_rsp()
    • ce0641d : Prevent integer underflow in rw_t2t_handle_tlv_detect_rsp()
    • bc50e3a : Prevent OOB read in rw_t3t_act_handle_ndef_detect_rsp()
    • a49a1b0 : Fix heap overflow in NFA_SendRawFrame()
    • c7d5b7a : Prevent Out of bounds write in rw_t3t_handle_get_sc_poll_rsp()
    • 216a24a : Prevent Integer Overflow in rw_t3t_act_handle_check_rsp()
    • 215c058 : Prevent OOB read in rw_t3t_update_block()
    • c859906 : Prevent Out of bounds read in ce_t4t.cc
    • a9536f3 : Fix CVEs in llcp_util.cc
    • 7ffbf38 : Prevent Out of bound error in llcp_dlc_proc_rr_rnr_pdu()
    • a124c2d : Prevent Out of bounds read/write in nfc_ncif_set_config_status
    • 77bef28 : Improve AGF PDU integrity check to prevent OOB error
    • dc11876 : Prevent OOB error in nfc_ncif_proc_get_routing()
    • ee3e108 : Prevent Out of bounds read in llcp_dlc
    • e363180 : Prevent Out of bounds read in llcp code part 2
    • 18a0649 : Prevent Out of bounds read in llcp code
    • d9f264c : Prevent OOB error for T2T read/writes
    • 34b3342 : Fix NXP_CHIP_TYPE and compile errors

  • platform/system/security with 3 change(s)
    • fbc50dd : Fix keystore wifi concurrency issue.
    • dd536a1 : Fixing bug in security vulnerability patch
    • 5561a85 : Fixing security vuln by tightening race condition window.

  • platform/system/sepolicy with 1 change(s)
    • 7267a8f : crash_dump: disallow ptrace of TCB components

  • platform/system/tools/hidl with 3 change(s)
    • a992384 : Zero hidl-generated structs
    • b6633a0 : Fillout requesting SID.
    • 020045b : Explicitly check processes are oneway

  • platform/system/update_engine with 2 change(s)
    • 76b0c32 : Add SafetyNet logging for payload timestamp error.
    • f3ba2d4 : Add maximum timestamp to the payload.