Android Oreo AOSP Changes

Changes from 8.1.0_r65 (OPM8.190605.003) to 8.1.0_r66 (OC):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (63):

  • device/google/muskie with 1 change(s)
    • b7a1b97 : Set Type-A HCE to Random UID

  • device/google/taimen with 1 change(s)
    • 1ca1f4e : Set Type-A HCE to Random UID

  • platform/art with 1 change(s)
    • 019baa4 : Use conservative permissions when creating files in ART

  • platform/build with 3 change(s)
    • b0a84d9 : Change build id to OC
    • 0200ba2 : Specify --max_timestamp when calling brillo_update_payload.
    • b56efbb : OAS1.171128.001

  • platform/cts with 27 change(s)
    • d8b3c66 : Recover shady content:// paths.
    • 9eaf627 : Verify a Map size mismatch in Parcel#writeMapInternal causes an exception
    • 35c5a41 : test if b/65484460 is fixed.
    • 8af0df1 : Backport CTS for [Prevent shortcut info package name spoofing]
    • 024311f : RESTRICT AUTOMERGE: CTS: Verify DynamicRefTable::load security fix
    • 5033ef1 : RESTRICT AUTOMERGE: Make CTS test testQuery more flexible
    • adc336c : Fixed ContentProviderCursorWindowTest
    • 1915151 : Rename testStagefright_b72165027 to meet naming standards
    • c019372 : RESTRICT AUTOMERGE: CTS: Created ResStringPool security tests
    • 2861a45 : CTS test for Android Security b/37093318
    • a86e3e4 : RESTRICT AUTOMERGE: Prevent reporting fake package name - cts (backport to oc-mr1-dev)
    • e009e2d : sonivox: fix hang caused by bad meta-event (cts)
    • 4046747 : Add tests for thumbnail cleanup
    • 96c06af : Added autofill test to check apps cannot bypass package name on AssistStructure
    • 25accf8 : Added autofill test to check apps cannot bypass package name on AssistStructure
    • 8be2631 : CTS for presence of avc fix for b/70897454
    • 2031b76 : Add CTS test for URI fix.
    • 57f7624 : CTS additions for b/72165027
    • 9ec3295 : CTS tests for b/70897394
    • ca83e25 : Camera: Add test for OutputConfiguration parcelling
    • fae65f7 : Add CTS test to verify that overlays cannot be installed
    • a90d457 : Add CTS test for bug 65483665
    • 4c75889 : Test for bug 69478425
    • be8098c : Add EffectBundleTest
    • 52b509c : Test that createBitmap(65535,65535) throws OOME
    • 27e8489 : Verify b/67737022 fix presence
    • f86a444 : Add CTS test for URI fix.

  • platform/external/aac with 3 change(s)
    • fcfcf78 : Prevent out of bounds accesses in lppTransposer()
    • fac7ba8 : MPEG-4 AAC Decoder: check against invalid height info
    • 2168166 : Fix out of bound memory access in lppTransposer

  • platform/external/bouncycastle with 1 change(s)
    • 4175a7d : Fix probable prime confidence calculations.

  • platform/external/chromium-libpac with 1 change(s)
    • 8039f01 : Test for error in handling getters changing element kind.

  • platform/external/conscrypt with 1 change(s)
    • 8f08718 : Fix SSLEngine bug with multiple heap buffer inputs.

  • platform/external/curl with 1 change(s)
    • ff37260 : Disable unused protocols.

  • platform/external/e2fsprogs with 1 change(s)
    • 677fa3f : Ignore quotes in safe_print().

  • platform/external/libavc with 13 change(s)
    • a1f1571 : Decoder: Delete node from st if lt and st point to same
    • e7c67d5 : decoder: Signal IVD_RES_CHANGED error for change in crop params
    • b39b3bb : Decoder: Modify setting short term reference field flag
    • 14c4de5 : Encoder: Return error for odd resolution
    • c208fd7 : Decoder: Set prev slice type for I slice.
    • 0938147 : Decoder: Fixed reset values in parse sps.
    • a456413 : Decoder: Fixed memory overflow in shared display mode.
    • acb5837 : Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.
    • 3ab2d32 : Decoder: Modified loop condition while parsing ref_list_reordering.
    • 37387cd : Decoder: Handle dec_hdl memory allocation failure gracefully
    • dcc1000 : Decoder: Detect change of mbaff flag in SPS
    • ba2f2fa : Decoder: Increased allocation and added checks in sei parsing.
    • 6b573d2 : Decoder: Fixed incorrect use of mmco parameters.

  • platform/external/libhevc with 22 change(s)
    • 74219ec : Add push-pop for Neon D8-D15 registers
    • 80b235f : Add few more checks for invalid parameters in sps
    • 72abc5a : Add missing return check for short_term_ref_pic_set()
    • 86d933e : Add bounds check for tile dimensions
    • 797894f : Decoder: Signal IVD_RES_CHANGED error for change in crop params
    • 11a8221 : Add limits check for the CTB position in a frame
    • c5c89a2 : Return error for invalid st/lt sps parameters
    • c70dde3 : Add limits check for depth hierarchy sps parameters
    • 80056a8 : Return error for invalid sps sub layers parameters
    • 79a2e68 : Return error for invalid reorder parameter
    • f3dce5a : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • 617fb33 : Fix output buffer size check
    • dea9dfb : Update ctb pu map for I slice
    • eca7dab : Check if luma wd and ht are multiple of min cb size
    • 298ccbe : Fix first frame error return
    • 7018f7f : Add PUSH-POP of D registers in Arm Neon 32 bit functions
    • f7214c0 : Return error for negative crop parameters
    • 9d51792 : Fix incomplete frame error
    • db1156d : Decoder: Handle ps_codec_obj memory allocation failure gracefully
    • 37cd737 : Fix slice address zero for not first slice in pic
    • 7c5140d : Fix prev slice incomplete check
    • 3a11314 : Consume bytes for sps with unsupported resolution

  • platform/external/libmpeg2 with 8 change(s)
    • f9f2731 : Add push-pop for Neon D8-D15 registers
    • 8b2f82b : Adding check for min_width and min_height
    • 65300ba : Adding Check For Number of Skip MBs
    • 4d911ea : Adding Internal Input Buffer
    • 4efd13b : Fixing Underflow of ps_dec-u2_num_mbs_left
    • 53caece : Adding Error Check for Output Buffer Size
    • 45a6fb7 : Correcting Buffer Allocation for Shared Display
    • b607989 : Adding Error Check for f_code Parameters

  • platform/external/libvpx with 3 change(s)
    • 0563f32 : Fixes a double free in ContentEncoding
    • 3d45178 : Check there is only one settings per ContentCompression
    • 19891b9 : libwebm: Cherrypick 5a41830 from upstream

  • platform/external/libxml2 with 1 change(s)
    • 7364338 : RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

  • platform/external/neven with 1 change(s)
    • bdd1df0 : Make bound check proper in bbf_Scanner_addOutPos

  • platform/external/sfntly with 1 change(s)
    • 2e95427 : Fix uninitialized value in sfntly

  • platform/external/skia with 4 change(s)
    • 51df377 : RESTRICT AUTOMERGE: Fix bug decoding JCS_RGB jpeg files
    • d3f79b8 : RESTRICT AUTOMERGE: Fix heap buffer overflow
    • 2d4f37e : RESTRICT AUTOMERGE: Add SkAndroidFrameworkUtils::SafetyNetLog
    • c3cd324 : RESTRICT AUTOMERGE: Cherry-pick "begin cleanup of malloc porting layer"

  • platform/external/sonivox with 7 change(s)
    • 9fdc11b : sonivox: prevent rejection of good but large MIDI files
    • aaa644e : sonivox: prevent infinite loop in OTA ringtones
    • 6fc68d0 : Revert "sonivox: prevent infinite loop in OTA ringtones"
    • 2ce251c : sonivox: prevent infinite loop in OTA ringtones
    • 0eb1f87 : sonivox: fix hang caused by bad meta-event
    • a21dab1 : Add recursion limit to XMF_ReadNode
    • 09bafcd : Fix memory leak

  • platform/external/sqlite with 1 change(s)
    • 0f72652 : RESTRICT AUTOMERGE: Apply security patch to sqlite 3.19.

  • platform/external/svox with 1 change(s)
    • 1904252 : SVOX: Properly initialize buffers.

  • platform/external/tremolo with 2 change(s)
    • 8f6ed4a : Add some error/overflow checks in codebook handling
    • 2583057 : Fix OOB access in Tremolo

  • platform/external/v4l2_codec2 with 1 change(s)
    • 929fa98 : Don't continue with an invalid iterator

  • platform/external/v8 with 7 change(s)
    • 7873129 : Fix type confusion in libpac
    • a561b4a : [RESTRICT AUTOMERGE] Fix type confusion in libpac
    • 884ef2f : [RESTRICT AUTOMERGE] Fix OOB Access in libpac
    • 9ac4dfd : [RESTRICT AUTOMERGE] Fix Integer Overflow in libpac
    • fbd6396 : Fix OOB read in libpac ast-numbering.cc
    • 8f48667 : Fix type confusion in libpac
    • 5658d8c : Backport: Fix Object.entries/values with changing elements

  • platform/external/wpa_supplicant_8 with 3 change(s)
    • 8ca1065 : [wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376
    • c0c2966 : Use BoringSSL to get random bytes
    • 4771cd0 : WNM: Fix WNM-Sleep Mode Request bounds checking

  • platform/frameworks/av with 53 change(s)
    • 1710948 : AMR WB encoder: prevent OOB write in ACELP_4t64_fx
    • e7a1e1a : httplive: detect oom if playlist is infinite
    • fde3f49 : Fix overflow/dos in 3gg text description parsing
    • d04682b : Zero-initialize HIDL structs before passing
    • c4c6a89 : Remove unused AVIExtractor source
    • fb23714 : NuPlayerCCDecoder: fix memory OOB
    • 3c2f4bf : audio: ensure effect chain with specific session id is unique
    • e4f2750 : AudioFlinger: Prevent multiple effect chains with same sessionId
    • 2ecd315 : Reserve enough space for RTSP CSD
    • 41268cd : AudioFlinger: put effect desc lookup under mutex for createEffect
    • ffd2e8a : RESTRICT AUTOMERGE: aaudio: improve test_atomic_fifo
    • d652535 : RESTRICT AUTOMERGE: aaudio: Fix converting negative FIFO counters to index
    • 62cd0f4 : RESTRICT AUTOMERGE: aaudio: fix FIFO wrapround frame counts
    • 8cd9380 : CTS error while media dump()
    • 06ddae0 : MediaExtractor: stop rendering when an error occurs
    • 5b35a03 : Check for overflow of crypto size
    • 7797c64 : Fix information disclosure in mediadrmserver
    • cb307cc : Revert "MediaExtractor: stop rendering when an error occurs"
    • 993f503 : M3UParser: handle missing EXT-X-MEDIA URIs
    • f45b129 : Allow kPortModeDynamicANWBuffer for kBufferTypeANWBuffer in useBuffer
    • f323978 : MediaExtractor: stop rendering when an error occurs
    • 6704256 : OMXNodeInstance: Allow dynamic native handle mode for input buffers
    • 90d6c14 : Fix possible out of bounds read
    • 777efb4 : M3UParser: make url on demand
    • 0c26f2a : omx: restrict useBuffer according to buffer type and port mode
    • fdc0125 : Fix security vulnerability in CryptoHal
    • f5ea1c7 : Speed up id3v2 unsynchronization
    • 952494d : aaudio: use weak pointer to prevent UAF
    • 0c43df5 : Add minimum size check for ImageGrid atom
    • 92320ba : Sanitize effect descriptors for AudioPolicyService binder calls.
    • e8298a7 : Add check preventing div0 issue
    • 57ccfe1 : Init gain config to prevent uninit leak.
    • 3ec5b39 : Handle overflow in android::HeifDataSource::readAt
    • 77028b2 : better mpeg2 TS elementary stream Access Unit parsing
    • 57434d3 : Handle bad bitrate index in mp3dec.
    • 418ee67 : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • b4dc5ca : Check NAL size before looking inside
    • 5641550 : Refactor MediaPlayerBase's notify
    • 0ed3f30 : Prevent MediaPlayerService::Client's use-after-free
    • 363fc54 : Fix use of uninitialized value in libmediadrm
    • de686a4 : Fix potential buffer overflow in mediadrmserver
    • 3d3a330 : AACExtractor: check bounds during seek
    • d4b2348 : httplive: check for malformed EXT-X-STREAM-INF
    • b59bab6 : IAudioPolicyService: Add attribute tags sanitization
    • be70f0d : Apply input buffer validation also to AVC and MPEG4 encoders
    • 6e5d041 : Access AVCDEC context after create fail check
    • ea822ac : Validate decryption key length to decrypt function.
    • bb04dad : avoid 32-bit integer overflow
    • 6122f99 : Add EFFECT_CMD_SET_PARAM parameter checking to Preset Reverb
    • 50b9c47 : Protect against possible race conditions
    • 65721c8 : SoftAVCDec: Handle zero length input without EOS
    • b3808d9 : Access HEVC context after create fail check
    • 8eddf1c : Fix edge case when applying id3 unsynchronization

  • platform/frameworks/base with 54 change(s)
    • d45487d : Clear the Parcel before writing an exception during a transaction
    • 39993ff : Protect VPN dialogs against overlay.
    • ba4777f : [RESTRICT AUTOMERGE] Make Lock task default consistent w/ Settings (oc-mr1-dev).
    • 325344e : HwBlob: s/malloc/calloc/
    • 796166b : SUPL ES Extension - June 2019 rollup
    • 6b375ca : [RESTRICT_AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
    • 65b5375 : Limit IsSeparateProfileChallengeAllowed to system callers
    • f6f3295 : Added missing permission check to isPackageDeviceAdminOnAnyUser.
    • 471c263 : Permission Check For DPM.getPermittedAccessibilityServices
    • ee15b9c : Revert "Adding SUPL NI Emergency Extension Time"
    • fabf168 : DPM: Fix regression from I54376f60ac53451ace22965d331b47cd8c2e614e
    • ade3a63 : RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
    • 8315a53 : Adding SUPL NI Emergency Extension Time
    • b8c2ef9 : FRP: save password quality in DPM.resetPassword
    • 1dc6854 : Bluetooth: Check descriptors size in BluetoothHidDeviceAppSdpSettings
    • c3a113e : RESTRICT AUTOMERGE: Recover shady content:// paths.
    • aa0f06d : RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.
    • a517294 : Verify number of Map entries written to Parcel
    • 0137b7e : Fix crash during cursor moving on BiDi text
    • 1039d21 : Optimise the hit test algorithm
    • f140de3 : Fix TrackInfo parcel write
    • 63e920b : Resolve inconsistent parcel read in NanoAppFilter
    • 4c4fb19 : vpn: allow IPSec traffic through Always-on VPN
    • ba42f5a : Backport Prevent shortcut info package name spoofing
    • 88a2163 : Revert "Optimise the hit test algorithm"
    • e78f982 : ResStringPool: Prevenet boot loop from se fix
    • 491ae5d : Fix DynamicRefTable::load security bug
    • 29de331 : Optimise the hit test algorithm
    • cadd70a : WM: Prevent secondary display focus while keyguard is up
    • a45628c : Make safe label more safe
    • 12c763e : clearCallingIdentity before calling into getPackageUidAsUser
    • 3c6f4ea : Nullcheck to fix Autofill CTS
    • 3636dfb : Osu: fixed Mismatch between createFromParcel and writeToParcel
    • 6b72a0f : Fix broken check for TelephonyManager#getForbiddenPlmns
    • 04431aa : RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-mr1-dev)
    • 9e7be14 : ResStringPool: Fix security vulnerability
    • e58113f : Use concrete CREATOR instance for parceling lists
    • 66c995d : Rework thumbnail cleanup
    • a329f80 : Proper autofill fix to let phone process autofill Settings activity.
    • 3166e2a : Fixed Security Vulnerability of DcParamObject
    • 1015953 : Verify last array's length in readFromParcel
    • be04daa : Update internal ViewPager's SavedState to match Support Library version
    • a319aea : Make sure apps cannot forge package name on AssistStructure used for Autofill.
    • 37ff8b5 : Fix VerifyCredentialResponse parcelling code
    • 5766f37 : [RTT] ParcelableRttResults parcel code fix
    • c232a41 : Fix bad type for txPower in PeriodicAdvertisingReport serialization
    • 1fd7543 : Adjust URI host parsing to stop on \ character.
    • 1406113 : Check for null-terminator in ResStringPool::string8At
    • 8d0e1a3 : OutputConfiguration: Fix missing mIsShared in parcel read
    • 555052e : OMS: Only allow trusted overlays to be registered.
    • fa52037 : Swap the order of synthetic password wrapping
    • cd0a7c7 : Adjust Uri host parsing to use last instead of first @.
    • f117b1c : mtp: fix double free of thumbnail data
    • f02f130 : Throw OOME if Bitmap.nativeCreate fails

  • platform/frameworks/ex with 2 change(s)
    • a2ad8ea : Add bounds checking for transparency lookup
    • 9baf8ce : Skip composition of frames lacking a color map

  • platform/frameworks/minikin with 1 change(s)
    • a1b99ba : Fix OOB read due to integer overflow

  • platform/frameworks/native with 10 change(s)
    • 786fab4 : [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets.
    • 1a10d15 : libbinder: readCString: no ubsan sub-overflow
    • b53300f : Zero-initialize HIDL structs before passing
    • 6ea12db : Sanitize InputMessage before sending
    • 8df427d : libui: add boundary check to GraphicBuffer::unflatten
    • 1f6fdab : Increment when attempting to read protected Parcel Data
    • 8b39688 : Don't pad before calling writeInPlace().
    • 7bf4035 : Disallow reading object data from Parcels with non-object reads
    • 98b8ef1 : Add bounds check to sensors direct channel creation
    • 16d0329 : surfaceflinger: make vsync injection more robust

  • platform/frameworks/opt/telephony with 1 change(s)
    • d664da9 : Fixed invalid pdu issue

  • platform/hardware/interfaces with 3 change(s)
    • 6e253ab : cas: do not use hidl_memory if size is SIZE_MAX
    • aee6992 : cas: validate shared buffer size before using
    • f3e2975 : Add tests to validate key length for clearkey plugin.

  • platform/hardware/qcom/display with 1 change(s)
    • f63f537 : sdm: hwc2: validate display id in SetColorModeById

  • platform/hardware/qcom/media with 1 change(s)
    • 7bf3633 : mm-video-v4l2: venc: Squash below changes

  • platform/libcore with 1 change(s)
    • 2214b35 : Fix hostname parsing in java.net.URLStreamHandler.

  • platform/packages/apps/Bluetooth with 1 change(s)
    • e0ad5d0 : Make sure server response doesn't exceed maximum allowable length

  • platform/packages/apps/Contacts with 1 change(s)
    • 3193aa5 : Patch URI vulnerability in contact photo editing

  • platform/packages/apps/Email with 3 change(s)
    • 7962d2e : AOSP/Email - bug fix: do not allow composing message with hidden private data attachments.
    • 1e37046 : AOSP/Email - Second part of the Security Vulnerability fix - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • 9aaf3c2 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/apps/Messaging with 1 change(s)
    • 111aebb : Messaging ignores file URIs shared via intent

  • platform/packages/apps/Nfc with 2 change(s)
    • 4514cf1 : Prevent OOB write in Mfc_Transceive
    • a40f032 : Prevent OOB write in phFriNfc_ExtnsTransceive

  • platform/packages/apps/PackageInstaller with 4 change(s)
    • c3a4cf7 : [RESTRICT AUTOMERGE]: Merge commit '217f31fb5da6a08b2172d292fa5b8f440c02ae3a' into OP_REQUEST_INSTALL_PACKAGES-denied
    • 8c0ef16 : Ask for PIN when granting permissions in front of lock screen
    • 8c9f9bb : RESTRICT AUTOMERGE: Trust session id only if started with ACTION_CONFIRM_INSTALL
    • 25b0cdb : RESTRICT AUTOMERGE: Always use safe labels

  • platform/packages/apps/Settings with 9 change(s)
    • 2584d03 : [RESTRICT AUTOMERGE] Make ScreenPinningSettings behaviour consistent with lock tasks.
    • 14e56a3 : Do not allow draw on top for App notification settings
    • f034a73 : Do not allow draw on top for default sms picker.
    • 94c6c1c : Hide quicksetting tile for dev options when it's turned off
    • 45cffe1 : Disable changing lock when device is not provisioned.
    • 5c96d6f : Delete obsolete activity alias for dev settings
    • e541249 : Update the way OMS records details about overlays
    • 75f2cf9 : Reword bluetooth confirmation dialog
    • e9cf5c0 : Fix BluetoothPairingDialogTest to not expect device name

  • platform/packages/apps/UnifiedEmail with 4 change(s)
    • c320c96 : AOSP/UnifiedEmail - bug fix to composing messages.
    • 84ea0d2 : AOSP/Email - Fixed - Security Vulnerability - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • 61c7a2b : Filter Attachment file name of forward slashes for .eml attachments.
    • 7496305 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • e93c521 : Remove "public" download feature.

  • platform/packages/providers/MediaProvider with 1 change(s)
    • 50cc45f : Rework thumbnail cleanup

  • platform/packages/providers/TelephonyProvider with 1 change(s)
    • 6976e0b : Check access to user and password fields in APN db

  • platform/packages/providers/UserDictionaryProvider with 1 change(s)
    • fa6da45 : Check caller before accessing database

  • platform/packages/services/Telecomm with 1 change(s)
    • 1744170 : Add flag to default dialer change dialog

  • platform/packages/services/Telephony with 3 change(s)
    • d207c0f : Fix potential NPE in EmergencyCallbackModeExitDialog.
    • 6ff2190 : Fix broken permission check for TelephonyManager#getForbiddenPlmns
    • 31c7884 : Enhanced permission checks for TelephonyManager#endCall() API.

  • platform/system/bt with 54 change(s)
    • bd6c302 : Fix potential OOB read in sdpu_get_len_from_type
    • dab2922 : btm_proc_smp_cback: Don't access p_dev_rec if freed
    • 371fabe : process_l2cap_cmd: Fix OOB
    • da7b251 : btm_ble_multi_adv: Check data length in HCI interface
    • 0f5b8d5 : Add OOB check in avrc_pars_browse_rsp
    • cae7c5e : Fix buffer overflow in btif_dm_data_copy
    • 34054c7 : Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
    • e97eddb : Revert "Fix OOB in avrc_pars_browse_rsp"
    • e46805c : Fix OOB in avrc_pars_browse_rsp
    • 24ccb51 : Fix possible OOB read
    • 0bd0158 : Check data length when parsing AVRCP vendor specific command responses
    • 6158e80 : Check remaining frame length in rfc_process_mx_message
    • 4ff82a8 : Fix a wrong check in rfc_parse_data
    • 9b1abd3 : Add bound check for rfc_parse_data
    • 91eb38f : Add packet length check in smp_proc_master_id
    • 7879412 : Checks the SMP length to fix OOB read
    • 955d838 : Add missing AVRCP message length checks inside avrc_msg_cback
    • c2ac5b8 : Add packet length checks in mca_ccb_hdl_req
    • 750d38e : Check packet length in bta_av_proc_meta_cmd
    • 566d197 : Fix OOB read in avrc_ctrl_pars_vendor_rsp
    • c0e18fb : Fix copy length calculation in sdp_copy_raw_data
    • 5c59e8a : SDP: return error on offset bigger than atribute length
    • 87a66f0 : HFP: Fix out of bound access in phone number processing
    • 559044f : Don't use Address after it was deleted
    • 1195bae : HIDD: Prevent integer underflow in bta_hd_act
    • 025fe7d : Add packet length checks in l2cble_process_sig_cmd
    • 9643182 : HID Host: Check L2CAP packet data length
    • d03b1e2 : Add BT_HDR length check for received AVCTP packets
    • 9f64fa2 : Add packet length check for received AVCTP packets
    • ee7b3fe : Add checks whether the AVDTP element data length is valid
    • 10323d3 : BNEP: Fix OOB access in bnep_data_ind
    • 1a35f52 : Decrease length after reading from array in process_service_attr_req
    • 8a6aa11 : Add PDU size checks in process_service_search_attr_rsp
    • a2bcf57 : GATT: Handle too short Error Response PDU
    • 2d08ca6 : RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
    • 5d2e58b : RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
    • 39ae2e6 : Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
    • ff7dcc3 : PAN: Always allocate in bta_pan_data_buf_ind_cback
    • 5aaf54d : AVRCP: Initialize buffer for attribute values to be written to
    • f2e79e0 : AVRCP: Set maximum string length when copying to buffer
    • 52da4b4 : AVRCP: Check number of text attribute values in response
    • 907988f : AVRCP: Check number of text attributes in response
    • 2914e25 : AVRCP: Check the number of text value attributes requested
    • 2e740b9 : SDP: Check p_req_end before reading from p_req
    • 01442a4 : BNEP: Check received frame type
    • 53b4093 : SDP: Include the offset in sdp_disc_server_rsp
    • 71fa33a : Allocate/free the SDP connection timers only during stack startup/shutdown
    • a2981aa : Fix unexpected behavior in reading BNEP packets
    • 57693b7 : Remove memory reference to invalid mem in error log
    • 0ee2fe2 : PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
    • 82cdd6a : AVRCP: Check the number of text attributes requested
    • daae2cf : SDP: Pass the bounds to process_service_*_rsp
    • 8fd13fb : Fix unexpected behavior in SDP
    • 7cb3485 : Removed alarm callback execution statistics

  • platform/system/connectivity/wificond with 1 change(s)
    • 85a6deb : wificond: Mark scanner impl instance invalid

  • platform/system/core with 3 change(s)
    • 348f97c : Export maximum number of fds/ints in a native_handle.
    • 8e9b610 : String16: remove integer overflows
    • 3a0d690 : libnetutil: Check dhcp respose packet length

  • platform/system/gatekeeper with 1 change(s)
    • 8830c2c : Remove potential double free

  • platform/system/hwservicemanager with 2 change(s)
    • d6ee3e2 : ACL based on getCallingSid
    • 498a600 : get selinux context on add call arrival.

  • platform/system/libhidl with 7 change(s)
    • b302e91 : Delete vestigial Status parcel read.
    • ba20bcf : Zero-initialize hidl_vec data
    • 8726747 : Zero-init HIDL core types (all)
    • 942e4d9 : Add gServiceSidMap.
    • c6429af : hidl_memory: fail on transfer if size SIZE_MAX
    • 6eb22a7 : mapMemory: Do not map if size is SIZE_MAX
    • f5f59d2 : canCastInterface: always return true for IBase

  • platform/system/libhwbinder with 4 change(s)
    • 3ba4e61 : readCString: no ubsan sub-overflow
    • 3d7adf5 : Rely on compiler to zero out structs.
    • b5e397c : getCallingSid: get calling security context
    • f1fd1d4 : Deserialize a native_handle safely.

  • platform/system/media with 1 change(s)
    • f378adf : Camera metadata: Check source metadata size

  • platform/system/nfc with 22 change(s)
    • c9a02cd : Fix heap overflow in nfa_rw_store_ndef_rx_buf
    • 72174c1 : Prevent OOB error in rw_i93_sm_update_ndef()
    • ab27be2 : Prevent OOB error in rw_i93_sm_read_ndef()
    • 6eee639 : Prevent OOB error in rw_i93_sm_detect_ndef()
    • fd060c2 : Prevent OOB read in rw_i93_process_sys_info()
    • 3df140d : Prevent integer underflow in rw_t3t_act_handle_check_ndef_rsp()
    • 95184bf : Prevent integer underflow in rw_t2t_handle_tlv_detect_rsp()
    • 22b06b9 : Prevent OOB read in rw_t3t_act_handle_ndef_detect_rsp()
    • 51466b6 : Fix heap overflow in NFA_SendRawFrame()
    • 5830caa : Prevent Out of bounds write in rw_t3t_handle_get_sc_poll_rsp()
    • 145eb54 : Prevent Integer Overflow in rw_t3t_act_handle_check_rsp()
    • 0dbb540 : Prevent OOB read in rw_t3t_update_block()
    • d2c3d60 : Prevent Out of bounds read in ce_t4t.cc
    • 0e54afa : Fix CVEs in llcp_util.cc
    • 6c91f0b : Prevent Out of bound error in llcp_dlc_proc_rr_rnr_pdu()
    • 846630a : Prevent OOB error in nfc_ncif_proc_get_routing()
    • 5febf0e : Prevent Out of bounds read/write in nfc_ncif_set_config_status
    • 893c548 : Improve AGF PDU integrity check to prevent OOB error
    • 5b4cd70 : Prevent Out of bounds read in llcp_dlc
    • 76438bc : Prevent Out of bounds read in llcp code part 2
    • 30dc6cf : Prevent Out of bounds read in llcp code
    • 8a9192c : Prevent OOB error for T2T read/writes

  • platform/system/security with 3 change(s)
    • 2d6ff19 : Fix keystore wifi concurrency issue.
    • 2a68743 : Fixing bug in security vulnerability patch
    • 057fc4d : Fixing security vuln by tightening race condition window.

  • platform/system/sepolicy with 1 change(s)
    • 35d0550 : crash_dump: disallow ptrace of TCB components

  • platform/system/tools/hidl with 4 change(s)
    • f66a8b9 : Zero hidl-generated structs
    • d42ae6c : Zero hidl-generated structs
    • 804902c : Fillout requesting SID.
    • 8d1738c : Explicitly check processes are oneway

  • platform/system/update_engine with 2 change(s)
    • 7cf4810 : Add SafetyNet logging for payload timestamp error.
    • defdda6 : Add maximum timestamp to the payload.