Android Oreo AOSP Changes

Changes from 8.1.0_r50 (OPM7.181105.004) to 8.1.0_r51 (OPM8.181105.002):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (49):

  • device/google/dragon with 1 change(s)
    • cd75dab : dragon: update Bluetooth firmware

  • device/google/dragon-kernel with 6 change(s)
    • ef9e667 : ryu: update kernel prebuilt
    • c686858 : ryu: update kernel prebuilt
    • 9d72200 : ryu: update kernel prebuilt
    • bfc7044 : ryu: update kernel prebuilt
    • d20d376 : ryu: update kernel prebuilt
    • 8a1670c : ryu: update kernel prebuilt

  • device/google/wahoo with 2 change(s)
    • e3820de : Update SVN to 9 for May Release bug: 74345861 (cherry picked from commit 294cd6b8d899ff28f13639abeaebc56e48e392e6)
    • 23e09e5 : Increase SVN to 8 for April Security Update Bug: 73240847 (cherry picked from commit cf979de2464efb9007f671b32b4420e97043b41d)

  • device/huawei/angler-kernel with 1 change(s)
    • 0e535fc : angler: update kernel prebuilt

  • device/lge/bullhead-kernel with 1 change(s)
    • eb8776d : bullhead: update kernel prebuilt

  • platform/build with 9 change(s)
    • 1650f13 : Version bump to OPM8.181105.002
    • 9a9d10e : Version bump to OPM8.181005.003
    • 37f7991 : Version bump to OPM8.181005.002
    • a8c0363 : Updating Platform Security String to 2018-09-05 Bug: 111501777 (cherry picked from commit 6bc223c9af044ad06e2f1abc0c4570a7371f9a3a)
    • 2d990ff : Version bump to OPM4.171019.021
    • a6f587b : Version bump to OPM4.171019.020
    • 4fa8970 : Update Security String to 05-05 on release branch (cherry picked from commit 15d6d5502cb5eb2b2054c8baecadccc4422854c9)
    • ccde022 : Version bump to OPM4.171019.017
    • 7af9627 : Version bump to OPM4.171019.012

  • platform/external/aac with 1 change(s)
    • d04caf3 : MPEG-4 AAC Decoder: check against invalid height info

  • platform/external/bouncycastle with 1 change(s)
    • 7e3f86f : Fix probable prime confidence calculations.

  • platform/external/chromium-libpac with 1 change(s)
    • f0083fc : Test for error in handling getters changing element kind.

  • platform/external/conscrypt with 1 change(s)
    • 09bc6dc : Fix SSLEngine bug with multiple heap buffer inputs.

  • platform/external/curl with 1 change(s)
    • 02069aa : Disable unused protocols.

  • platform/external/e2fsprogs with 1 change(s)
    • 654f5f5 : Ignore quotes in safe_print().

  • platform/external/libavc with 4 change(s)
    • 3bda820 : Encoder: Return error for odd resolution
    • 7b2aa13 : Decoder: Modify setting short term reference field flag
    • 292c7b5 : Decoder: Fixed reset values in parse sps.
    • d7dbaf9 : Decoder: Set prev slice type for I slice.

  • platform/external/libhevc with 6 change(s)
    • 4403e3c : Return error for invalid st/lt sps parameters
    • 533dc36 : Return error for invalid sps sub layers parameters
    • 9b7e137 : Add limits check for depth hierarchy sps parameters
    • b00b802 : Return error for invalid reorder parameter
    • d81812e : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • a0779d9 : Fix output buffer size check

  • platform/external/libmpeg2 with 3 change(s)
    • 30e61d8 : Adding check for min_width and min_height
    • 17c2e4d : Adding Check For Number of Skip MBs
    • c29520c : Adding Internal Input Buffer

  • platform/external/libxml2 with 1 change(s)
    • 11cfbd9 : RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

  • platform/external/neven with 1 change(s)
    • d5a0280 : Make bound check proper in bbf_Scanner_addOutPos

  • platform/external/skia with 1 change(s)
    • 77c9552 : RESTRICT AUTOMERGE: Cherry-pick "begin cleanup of malloc porting layer"

  • platform/external/sonivox with 3 change(s)
    • 0fbe620 : sonivox: prevent rejection of good but large MIDI files
    • 2061206 : sonivox: prevent infinite loop in OTA ringtones
    • 95e51b9 : sonivox: fix hang caused by bad meta-event

  • platform/external/svox with 1 change(s)
    • f5281a9 : SVOX: Properly initialize buffers.

  • platform/external/tremolo with 1 change(s)
    • 6f4fd54 : Fix OOB access in Tremolo

  • platform/external/v8 with 1 change(s)
    • 99b3e48 : Backport: Fix Object.entries/values with changing elements

  • platform/frameworks/av with 25 change(s)
    • 4b7a7c3 : Fix information disclosure in mediadrmserver
    • 6828774 : Check for overflow of crypto size
    • ca0afc0 : M3UParser: handle missing EXT-X-MEDIA URIs
    • 871c0f2 : Allow kPortModeDynamicANWBuffer for kBufferTypeANWBuffer in useBuffer
    • 7ee4392 : MediaExtractor: stop rendering when an error occurs
    • e2c876f : Fix possible out of bounds read
    • 0d42771 : OMXNodeInstance: Allow dynamic native handle mode for input buffers
    • fa7042e : M3UParser: make url on demand
    • 920b52b : Speed up id3v2 unsynchronization
    • 7a50a7b : Fix security vulnerability in CryptoHal
    • 2c0d6cf : omx: restrict useBuffer according to buffer type and port mode
    • d089c85 : aaudio: use weak pointer to prevent UAF
    • 4c5b224 : Add minimum size check for ImageGrid atom
    • 5bf5d02 : Sanitize effect descriptors for AudioPolicyService binder calls.
    • 886eb8e : Add check preventing div0 issue
    • a0dbbec : Init gain config to prevent uninit leak.
    • c5c43b6 : Refactor MediaPlayerBase's notify
    • 7c592cc : Handle overflow in android::HeifDataSource::readAt
    • 1759f37 : better mpeg2 TS elementary stream Access Unit parsing
    • eecf2a3 : Handle bad bitrate index in mp3dec.
    • 72cd352 : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • d12c360 : Refactor MediaPlayerBase's notify
    • b20b43c : Check NAL size before looking inside
    • 7e02063 : Prevent MediaPlayerService::Client's use-after-free
    • 35650d3 : camera: Drop pending preview for enableZsl shots

  • platform/frameworks/base with 35 change(s)
    • fbff0c7 : RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions."
    • f1ca40e : Verify number of Map entries written to Parcel
    • 84747b2 : RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions.
    • 462b867 : RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.
    • 15c4bdc : Revert "RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package."
    • 368faea : Fix crash during cursor moving on BiDi text
    • 0c4da9d : RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package.
    • f3709a8 : Optimise the hit test algorithm
    • 70346ba : Fix TrackInfo parcel write
    • 43631a4 : vpn: allow IPSec traffic through Always-on VPN
    • 44f897a : Resolve inconsistent parcel read in NanoAppFilter
    • d14a122 : Backport Prevent shortcut info package name spoofing
    • e87a7c9 : Fix DynamicRefTable::load security bug
    • 6ab2779 : ResStringPool: Prevenet boot loop from se fix
    • 0e50de3 : Make safe label more safe
    • dc76622 : WM: Prevent secondary display focus while keyguard is up
    • 51f7f6b : clearCallingIdentity before calling into getPackageUidAsUser
    • 959db06 : Nullcheck to fix Autofill CTS
    • 1449bd2 : Osu: fixed Mismatch between createFromParcel and writeToParcel
    • 11c2698 : Fix broken check for TelephonyManager#getForbiddenPlmns
    • 17552c3 : ResStringPool: Fix security vulnerability
    • d5e98d9 : RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-mr1-dev)
    • fda6995 : Use concrete CREATOR instance for parceling lists
    • 4708368 : Rework thumbnail cleanup
    • 1b6a6b0 : Proper autofill fix to let phone process autofill Settings activity.
    • fb5af33 : Fixed Security Vulnerability of DcParamObject
    • bafa72f : Update internal ViewPager's SavedState to match Support Library version
    • 7dd7459 : Verify last array's length in readFromParcel
    • 173d375 : Make sure apps cannot forge package name on AssistStructure used for Autofill.
    • 854ac60 : [RTT] ParcelableRttResults parcel code fix
    • 935288b : Fix VerifyCredentialResponse parcelling code
    • 0d63046 : Adjust URI host parsing to stop on \ character.
    • 9f4c9c1 : Check for null-terminator in ResStringPool::string8At
    • e6e4ebf : OutputConfiguration: Fix missing mIsShared in parcel read
    • 3e56e03 : Fix bad type for txPower in PeriodicAdvertisingReport serialization

  • platform/frameworks/ex with 1 change(s)
    • 1ba5c0d : Add bounds checking for transparency lookup

  • platform/frameworks/minikin with 1 change(s)
    • ae7af07 : Fix OOB read due to integer overflow

  • platform/frameworks/native with 5 change(s)
    • 51db8c3 : Don't pad before calling writeInPlace().
    • f52855d : Increment when attempting to read protected Parcel Data
    • 772b684 : Disallow reading object data from Parcels with non-object reads
    • 215a16e : Fix resampling for multiple pointers
    • 90bddcf : Add bounds check to sensors direct channel creation

  • platform/frameworks/opt/telephony with 1 change(s)
    • ffe4fdf : Fixed invalid pdu issue

  • platform/hardware/broadcom/wlan with 1 change(s)
    • 4ece48f : net: wireless: bcmdhd: update bcm4354 FW (7.35.101.9)

  • platform/hardware/google/easel with 1 change(s)
    • 2f3d8bf : pbcamera: Add nofityEaselFatalError

  • platform/hardware/interfaces with 1 change(s)
    • d945929 : cas: do not use hidl_memory if size is SIZE_MAX

  • platform/hardware/qcom/camera with 5 change(s)
    • e9cccc4 : QCamera3: Rename property to disable HDR+
    • 429a060 : QCamera2: HAL3: Support concurrent camera with Easel
    • ccdcca2 : QCamera: Add Easel FW version in EXIF
    • 2b4f863 : QCamera3: Notify HDR+ client about Easel error
    • 750311e : Revert "Revert "QCamera3: Enable HDR+ by default""

  • platform/hardware/qcom/display with 1 change(s)
    • 48bb313 : Fix Buffer Overflow in Vendor Service display.qservice

  • platform/hardware/qcom/media with 3 change(s)
    • ea11bb2 : mm-video-v4l2: Protect buffer access and increase input buffer size
    • 34572dc : mm-video-v4l2: Squash below changes
    • 3f70e6c : mm-video-v4l2: Protect buffer access and increase input buffer size

  • platform/libcore with 1 change(s)
    • ddb0973 : Fix hostname parsing in java.net.URLStreamHandler.

  • platform/packages/apps/Bluetooth with 1 change(s)
    • 49499e9 : Make sure server response doesn't exceed maximum allowable length

  • platform/packages/apps/Email with 1 change(s)
    • 08dbcc8 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/apps/Messaging with 1 change(s)
    • c905499 : Messaging ignores file URIs shared via intent

  • platform/packages/apps/PackageInstaller with 1 change(s)
    • 458b810 : RESTRICT AUTOMERGE: Always use safe labels

  • platform/packages/apps/Settings with 4 change(s)
    • 0d2bf81 : Disable changing lock when device is not provisioned.
    • e5b8cc1 : Delete obsolete activity alias for dev settings
    • 13d46d7 : Settings: Remove HAL HDR+ option
    • 4d45be2 : Revert "Revert "Settings: Enable HAL HDR+ by default""

  • platform/packages/apps/UnifiedEmail with 2 change(s)
    • 5779835 : Filter Attachment file name of forward slashes for .eml attachments.
    • dd5743f : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • f1cced1 : Remove "public" download feature.

  • platform/packages/providers/MediaProvider with 1 change(s)
    • 9d11085 : Rework thumbnail cleanup

  • platform/packages/providers/UserDictionaryProvider with 1 change(s)
    • e364485 : Check caller before accessing database

  • platform/packages/services/Telephony with 3 change(s)
    • 172a7f4 : Fix potential NPE in EmergencyCallbackModeExitDialog.
    • f261b37 : Fix broken permission check for TelephonyManager#getForbiddenPlmns
    • 39cfeaf : Enhanced permission checks for TelephonyManager#endCall() API.

  • platform/system/bt with 36 change(s)
    • b28b4fb : Check data length when parsing AVRCP vendor specific command responses
    • 4dcb1ef : Fix a wrong check in rfc_parse_data
    • d0450d0 : Add bound check for rfc_parse_data
    • 80f0f0d : Fix build failure in stack/rfcomm/rfc_ts_frames.c
    • 2ac52bb : Add packet length checks in mca_ccb_hdl_req
    • df41965 : Checks the SMP length to fix OOB read
    • c9aba1b : Add packet length check in smp_proc_master_id
    • 1c5192c : Add missing AVRCP message length checks inside avrc_msg_cback
    • 6090e5b : Check packet length in bta_av_proc_meta_cmd
    • 9f96434 : Fix OOB read in avrc_ctrl_pars_vendor_rsp
    • 2b85891 : Check remaining frame length in rfc_process_mx_message
    • eecef97 : Fix copy length calculation in sdp_copy_raw_data
    • 31dc2d4 : HID Host: Check L2CAP packet data length
    • 7f4270c : Add packet length checks in l2cble_process_sig_cmd
    • cb03ab0 : Don't use Address after it was deleted
    • 6c69b51 : HFP: Fix out of bound access in phone number processing
    • dcb5656 : SDP: return error on offset bigger than atribute length
    • 352afd8 : HIDD: Prevent integer underflow in bta_hd_act
    • c948737 : Add BT_HDR length check for received AVCTP packets
    • dd77b7d : Add packet length check for received AVCTP packets
    • 9d6ae30 : Add checks whether the AVDTP element data length is valid
    • a531891 : BNEP: Fix OOB access in bnep_data_ind
    • 0dd3d35 : RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
    • ae32b52 : RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
    • f79e649 : Decrease length after reading from array in process_service_attr_req
    • 3324f4a : GATT: Handle too short Error Response PDU
    • 1db856a : Add PDU size checks in process_service_search_attr_rsp
    • b545306 : Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
    • 924e573 : Get rid of BTM_IS_PUBLIC_BDA
    • c5a7986 : PAN: Always allocate in bta_pan_data_buf_ind_cback
    • eb8771e : AVRCP: Check number of text attribute values in response
    • 99c17db : AVRCP: Set maximum string length when copying to buffer
    • acb8b71 : AVRCP: Initialize buffer for attribute values to be written to
    • 2c3a82a : AVRCP: Check number of text attributes in response
    • 8feb740 : AVRCP: Check the number of text value attributes requested
    • 2eb7266 : SDP: Check p_req_end before reading from p_req

  • platform/system/core with 1 change(s)
    • 234fb03 : String16: remove integer overflows

  • platform/system/libhidl with 2 change(s)
    • 15a9cf0 : hidl_memory: fail on transfer if size SIZE_MAX
    • dfd88f1 : mapMemory: Do not map if size is SIZE_MAX

  • platform/system/sepolicy with 2 change(s)
    • d9339f1 : crash_dump: disallow ptrace of TCB components
    • d58aa86 : Add drmserver permission for ephemeral apps