Android Oreo AOSP Changes

Changes from 8.1.0_r66 (OC) to 8.1.0_r67 (OPM8.190605.005):

Warning Releases with no significant changes other than version bump in platform/build component are likely to only feature proprietary binary blob (e.g. firmwares) changes.

Newly Added Components (0):

None

Removed Components (0):

None

Updated Components (73):

  • device/google/dragon with 2 change(s)
    • d7380b6 : dragon: Update Bluetooth firmware
    • cd75dab : dragon: update Bluetooth firmware

  • device/google/dragon-kernel with 14 change(s)
    • bb79e74 : ryu: update kernel prebuilt
    • b8ddf4c : ryu: update kernel prebuilt
    • 40cbd4c : ryu: update kernel prebuilt
    • 15c2a3e : ryu: update kernel prebuilt
    • 4241752 : ryu: update kernel prebuilt
    • c35e2e5 : ryu: update kernel prebuilt
    • ef9e667 : ryu: update kernel prebuilt
    • c686858 : ryu: update kernel prebuilt
    • 9d72200 : ryu: update kernel prebuilt
    • bfc7044 : ryu: update kernel prebuilt
    • d20d376 : ryu: update kernel prebuilt
    • 8a1670c : ryu: update kernel prebuilt
    • 41fc83d : ryu: update kernel prebuilt
    • c54f093 : ryu: update kernel prebuilt

  • device/google/muskie with 1 change(s)
    • acc2b99 : Set Type-A HCE to Random UID

  • device/google/taimen with 2 change(s)
    • 4873d69 : Set Type-A HCE to Random UID
    • c8ca6bf : taimen: NFC: update NFC GPIO 5

  • device/google/wahoo with 7 change(s)
    • e3820de : Update SVN to 9 for May Release bug: 74345861 (cherry picked from commit 294cd6b8d899ff28f13639abeaebc56e48e392e6)
    • 0460ff5 : Increase SVN to 8 for April Security Update Bug: 73240847 (cherry picked from commit cf979de2464efb9007f671b32b4420e97043b41d)
    • 23e09e5 : Increase SVN to 8 for April Security Update Bug: 73240847 (cherry picked from commit cf979de2464efb9007f671b32b4420e97043b41d)
    • a5b2237 : Update SVN to 7 for March 2018 Monthly Update Bug:71860241 (cherry picked from commit da9a297f5073dba61a12498e84e8361b14e12292)
    • 469ba59 : Update SVN to 7 for March 2018 Monthly Update Bug:71860241 (cherry picked from commit da9a297f5073dba61a12498e84e8361b14e12292)
    • 431f794 : Update SVN to 6 for Feb 2017 Monthly Update
    • a384e37 : Update SVN to 5 for Jan 2017 Monthly Update Bug:69257226 (cherry picked from commit 40b61a3bb8f08ab042f0777984b6cf7c38a722d0)

  • device/huawei/angler with 2 change(s)
    • f8fe4f7 : Add dun APN for Telstra to apns-full-conf.xml
    • 7978b14 : Add dun APN for Telstra to apns-full-conf.xml

  • device/huawei/angler-kernel with 3 change(s)
    • 0e535fc : angler: update kernel prebuilt
    • 7d4865a : angler: update kernel prebuilt
    • 6549a21 : angler: update kernel prebuilt

  • device/lge/bullhead with 6 change(s)
    • 7ac5c96 : bullhead: Apn fix for Simyo 214-19
    • 9597cd0 : Add dun APN for Telstra to apns-full-conf.xml
    • 866e7f2 : bullhead: Apn fix for Simyo (sub brand of Orange ES)
    • d480142 : bullhead: Apn fix for Simyo 214-19
    • 58374ed : Add dun APN for Telstra to apns-full-conf.xml
    • 4dbc40d : bullhead: Apn fix for Simyo (sub brand of Orange ES)

  • device/lge/bullhead-kernel with 4 change(s)
    • eb8776d : bullhead: update kernel prebuilt
    • dc0f7d1 : bullhead: update kernel prebuilt
    • c400642 : bullhead: update kernel prebuilt
    • 02bf5a1 : bullhead: update kernel prebuilt

  • platform/art with 1 change(s)
    • d141879 : ART: Reinstate secondary-image-patching exit

  • platform/build with 55 change(s)
    • 307aaf1 : Version bump to OPM8.190605.005 [core/build_id.mk]
    • 1a47f3d : Version bump to OPM8.190605.004 [core/build_id.mk]
    • 361c9c5 : Version bump to OPM8.190605.003 [core/build_id.mk]
    • fdcd0d9 : Version bump to OPM8.190605.002
    • 9be4e35 : Update Security String to 2019-06-05 Bug:129374896 Merged-In: 2c26c3d4c0314f8a3f905e5a7081556f7b4b353a (cherry picked from commit 3ae4e858b7c169b19a4994dd6b124a68fa234ff0)
    • 0996ee1 : Update Security String to 2019-05-05 in oc-m8-release Bug:128322951 (cherry picked from commit fa69b7c84a0aa22db03ccb47908ba691764b6437)
    • 0aa9820 : Update Security String to 2019-05-01 in oc-m8-release Bug: 128322951 (cherry picked from commit 9f8b89e4072bc5f1a93d796b6eec642737c93bc4)
    • 50cc11d : Fix string in oc-m8-release (cherry picked from commit 73d7e12f399e34e3ce96830943c097f1cbfbb7fa)
    • 5485fa0 : Version bump to OPM8.190301.002
    • ee25423 : Fix merge conflict into OC-M8-Release (cherry picked from commit 7ed4804fcfc37820e59d954f4765f115055b3fbf)
    • d7e1059 : Fix merge conflict in the security string for OC-M8-release (cherry picked from commit 5502a6440a3953890094384d9559be0de1f0809a)
    • 5536934 : Version bump to OPM8.190201.002
    • 1667aa3 : Version bump to OPM8.190105.002
    • 1650f13 : Version bump to OPM8.181105.002
    • 9a9d10e : Version bump to OPM8.181005.003
    • 37f7991 : Version bump to OPM8.181005.002
    • a8c0363 : Updating Platform Security String to 2018-09-05 Bug: 111501777 (cherry picked from commit 6bc223c9af044ad06e2f1abc0c4570a7371f9a3a)
    • 2d990ff : Version bump to OPM4.171019.021
    • a6f587b : Version bump to OPM4.171019.020
    • 4fa8970 : Update Security String to 05-05 on release branch (cherry picked from commit 15d6d5502cb5eb2b2054c8baecadccc4422854c9)
    • ccde022 : Version bump to OPM4.171019.017
    • 61f009f : Version bump to OPM2.171019.029
    • 5b801cf : Version bump to OPM1.171019.025
    • e364b36 : Version bump to OPM1.171019.024
    • 8fb32cf : Version bump to OPM1.171019.023
    • b444333 : Version bump to OPM1.171019.022
    • f1b02e0 : Version bump to OPM2.171019.028
    • 920e126 : Version bump to OPM2.171019.027
    • ba97bf5 : Version bump to OPM2.171019.026
    • c6d3406 : Version bump to OPM2.171019.025
    • c0aa8b0 : Version bump to OPM1.171019.021
    • c63914b : Version bump to OPM2.171019.024
    • edb20e3 : Specify --max_timestamp when calling brillo_update_payload.
    • 9de91d9 : Specify --max_timestamp when calling brillo_update_payload.
    • f7818c7 : Version bump to OPM2.171019.022
    • aecfa17 : Version bump to OPM2.171019.021
    • 4dc1dfb : Version bump to OPM2.171019.020
    • 4fe054f : Version bump to OPM1.171019.019
    • 058decd : Version bump to OPM2.171019.016
    • e5924a5 : Version bump to OPM1.171019.018
    • ddc4b4c : Version bump to OPM1.171019.017
    • bde6743 : Version bump to OPM1.171019.015
    • 22e3233 : Version bump to OPM1.171019.014
    • 7af9627 : Version bump to OPM4.171019.012
    • 0fcf3d6 : Version bump to OPM1.171019.013
    • eaf66a7 : Version bump to OPM2.171019.012
    • 24b10be : Update Security String to 2017-12-05 for December Security Bug: 67774760 (cherry picked from commit 81ee575d52e964d1a3933ac6e8e1a680321883a8)
    • 9e8785d : Version bump to OPM2.171019.006
    • b9cacc9 : Version bump to OPM2.171018.002
    • 8ceb746 : Version bump to OPM2.171010.002
    • c71e006 : Version bump to OPM2.171009.002
    • de0954d : Version bump to OPM2.170928.004
    • f30e3be : Version bump to OPM2.170921.002
    • 981e874 : Version bump to OPM2.170911.004
    • cd0eb5f : Version bump to OPM2.170911.003

  • platform/cts with 6 change(s)
    • 8e0cdc3 : Add CTS test to verify that overlays cannot be installed
    • dd3bb8f : Added autofill test to check apps cannot bypass package name on AssistStructure
    • 614d7dc : Add CTS test for URI fix.
    • 3085dc8 : Verify b/67737022 fix presence
    • 7ab52a6 : Test that createBitmap(65535,65535) throws OOME
    • 8da997e : Add EffectBundleTest

  • platform/external/aac with 5 change(s)
    • b2cd161 : Prevent out of bounds accesses in lppTransposer()
    • d04caf3 : MPEG-4 AAC Decoder: check against invalid height info
    • 1b9cbed : MPEG-4 AAC Decoder: check against invalid height info
    • b6409ad : MPEG-4 AAC Decoder: check against invalid height info
    • 8e3be52 : Fix out of bound memory access in lppTransposer

  • platform/external/bouncycastle with 1 change(s)
    • 7e3f86f : Fix probable prime confidence calculations.

  • platform/external/chromium-libpac with 1 change(s)
    • f0083fc : Test for error in handling getters changing element kind.

  • platform/external/conscrypt with 2 change(s)
    • 09bc6dc : Fix SSLEngine bug with multiple heap buffer inputs.
    • c98b326 : Allow parsing RSA keys from buffers with extra space at the end.

  • platform/external/curl with 1 change(s)
    • 02069aa : Disable unused protocols.

  • platform/external/e2fsprogs with 1 change(s)
    • 654f5f5 : Ignore quotes in safe_print().

  • platform/external/libavc with 18 change(s)
    • 3c2e504 : decoder: Signal IVD_RES_CHANGED error for change in crop params
    • 3bda820 : Encoder: Return error for odd resolution
    • 7b2aa13 : Decoder: Modify setting short term reference field flag
    • 292c7b5 : Decoder: Fixed reset values in parse sps.
    • d7dbaf9 : Decoder: Set prev slice type for I slice.
    • d849abf : Decoder: Fixed reset values in parse sps.
    • 3e3e81e : Decoder: Set prev slice type for I slice.
    • cbab566 : Decoder: Fixed reset values in parse sps.
    • 53c48c1 : Decoder: Set prev slice type for I slice.
    • a6db459 : Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.
    • 73f6f18 : Decoder: Fixed memory overflow in shared display mode.
    • 4b58c8f : Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.
    • a7f41c5 : Decoder: Fixed memory overflow in shared display mode.
    • 10f3065 : Decoder: Modified loop condition while parsing ref_list_reordering.
    • 5acaa6f : Decoder: Handle dec_hdl memory allocation failure gracefully
    • 6c327af : Decoder: Fixed incorrect use of mmco parameters.
    • e86d3cf : Decoder: Increased allocation and added checks in sei parsing.
    • 42cf029 : Decoder: Detect change of mbaff flag in SPS

  • platform/external/libhevc with 22 change(s)
    • 70c3177 : Decoder: Signal IVD_RES_CHANGED error for change in crop params
    • f5bcfc0 : Add limits check for the CTB position in a frame
    • 4403e3c : Return error for invalid st/lt sps parameters
    • 533dc36 : Return error for invalid sps sub layers parameters
    • 9b7e137 : Add limits check for depth hierarchy sps parameters
    • b00b802 : Return error for invalid reorder parameter
    • d81812e : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • a0779d9 : Fix output buffer size check
    • daaece3 : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • b7d4d58 : Fix output buffer size check
    • d90f122 : Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps
    • 17b3a1c : Fix output buffer size check
    • b0e1239 : Check if luma wd and ht are multiple of min cb size
    • 96a40a0 : Update ctb pu map for I slice
    • b686bb2 : Add PUSH-POP of D registers in Arm Neon 32 bit functions
    • 0a714d3 : Fix first frame error return
    • 066e3b1 : Return error for negative crop parameters
    • b3f31e4 : Consume bytes for sps with unsupported resolution
    • 52ca619 : Fix slice address zero for not first slice in pic
    • 3ed3c6b : Decoder: Handle ps_codec_obj memory allocation failure gracefully
    • 7c9be31 : Fix prev slice incomplete check
    • f5b2fa2 : Fix incomplete frame error

  • platform/external/libmpeg2 with 11 change(s)
    • f2044b7 : Add push-pop for Neon D8-D15 registers
    • 30e61d8 : Adding check for min_width and min_height
    • 17c2e4d : Adding Check For Number of Skip MBs
    • c29520c : Adding Internal Input Buffer
    • e944ad6 : Adding Error Check for Output Buffer Size
    • 3d8f5d9 : Correcting Buffer Allocation for Shared Display
    • b8e0483 : Fixing Underflow of ps_dec-u2_num_mbs_left
    • 9449ef4 : Adding Error Check for Output Buffer Size
    • 0ad7e37 : Correcting Buffer Allocation for Shared Display
    • 5687dbe : Fixing Underflow of ps_dec-u2_num_mbs_left
    • 29a78a1 : Adding Error Check for f_code Parameters

  • platform/external/libvpx with 1 change(s)
    • a2a66a3 : libwebm: Cherrypick 5a41830 from upstream

  • platform/external/libxml2 with 1 change(s)
    • 11cfbd9 : RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

  • platform/external/neven with 1 change(s)
    • d5a0280 : Make bound check proper in bbf_Scanner_addOutPos

  • platform/external/skia with 4 change(s)
    • 447a2c3 : RESTRICT AUTOMERGE: Fix bug decoding JCS_RGB jpeg files
    • 4ebca09 : RESTRICT AUTOMERGE: Fix heap buffer overflow
    • df0c3d0 : RESTRICT AUTOMERGE: Add SkAndroidFrameworkUtils::SafetyNetLog
    • 77c9552 : RESTRICT AUTOMERGE: Cherry-pick "begin cleanup of malloc porting layer"

  • platform/external/sonivox with 5 change(s)
    • 0fbe620 : sonivox: prevent rejection of good but large MIDI files
    • 2061206 : sonivox: prevent infinite loop in OTA ringtones
    • 95e51b9 : sonivox: fix hang caused by bad meta-event
    • 3806f2f : Add recursion limit to XMF_ReadNode
    • aa9d9d6 : Fix memory leak

  • platform/external/sqlite with 1 change(s)
    • 248f154 : RESTRICT AUTOMERGE: Apply security patch to sqlite 3.19.

  • platform/external/svox with 2 change(s)
    • f5281a9 : SVOX: Properly initialize buffers.
    • cee7819 : SVOX: Properly initialize buffers.

  • platform/external/tremolo with 2 change(s)
    • 7431d3c : Add some error/overflow checks in codebook handling
    • 6f4fd54 : Fix OOB access in Tremolo

  • platform/external/v4l2_codec2 with 1 change(s)
    • 179bddd : Don't continue with an invalid iterator

  • platform/external/v8 with 7 change(s)
    • fc7e002 : Fix type confusion in libpac
    • 87b415a : [RESTRICT AUTOMERGE] Fix Integer Overflow in libpac
    • 987358e : [RESTRICT AUTOMERGE] Fix type confusion in libpac
    • d3e344d : [RESTRICT AUTOMERGE] Fix OOB Access in libpac
    • 3065644 : Fix type confusion in libpac
    • aa7978e : Fix OOB read in libpac ast-numbering.cc
    • 99b3e48 : Backport: Fix Object.entries/values with changing elements

  • platform/external/wpa_supplicant_8 with 3 change(s)
    • 0bcc99c : [wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376
    • 4435e17 : Use BoringSSL to get random bytes
    • de0bbf0 : WNM: Fix WNM-Sleep Mode Request bounds checking

  • platform/frameworks/av with 56 change(s)
    • 5e904d7 : AudioFlinger: Prevent multiple effect chains with same sessionId
    • 3f961b2 : audio: ensure effect chain with specific session id is unique
    • b0266f4 : NuPlayerCCDecoder: fix memory OOB
    • d8f320f : Reserve enough space for RTSP CSD
    • 053895d : AudioFlinger: put effect desc lookup under mutex for createEffect
    • 33f089b : RESTRICT AUTOMERGE: aaudio: improve test_atomic_fifo
    • d276f99 : RESTRICT AUTOMERGE: aaudio: Fix converting negative FIFO counters to index
    • 2ad5647 : RESTRICT AUTOMERGE: aaudio: fix FIFO wrapround frame counts
    • 16f9b39 : CTS error while media dump()
    • 4b7a7c3 : Fix information disclosure in mediadrmserver
    • 6828774 : Check for overflow of crypto size
    • ca0afc0 : M3UParser: handle missing EXT-X-MEDIA URIs
    • 871c0f2 : Allow kPortModeDynamicANWBuffer for kBufferTypeANWBuffer in useBuffer
    • 7ee4392 : MediaExtractor: stop rendering when an error occurs
    • e2c876f : Fix possible out of bounds read
    • 0d42771 : OMXNodeInstance: Allow dynamic native handle mode for input buffers
    • fa7042e : M3UParser: make url on demand
    • 920b52b : Speed up id3v2 unsynchronization
    • 7a50a7b : Fix security vulnerability in CryptoHal
    • 2c0d6cf : omx: restrict useBuffer according to buffer type and port mode
    • d089c85 : aaudio: use weak pointer to prevent UAF
    • 4c5b224 : Add minimum size check for ImageGrid atom
    • 5bf5d02 : Sanitize effect descriptors for AudioPolicyService binder calls.
    • 886eb8e : Add check preventing div0 issue
    • a0dbbec : Init gain config to prevent uninit leak.
    • c5c43b6 : Refactor MediaPlayerBase's notify
    • 7c592cc : Handle overflow in android::HeifDataSource::readAt
    • 1759f37 : better mpeg2 TS elementary stream Access Unit parsing
    • eecf2a3 : Handle bad bitrate index in mp3dec.
    • 72cd352 : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • d12c360 : Refactor MediaPlayerBase's notify
    • b20b43c : Check NAL size before looking inside
    • 7e02063 : Prevent MediaPlayerService::Client's use-after-free
    • d32af5d : M3UParser: detect variant streams without EXT-X-STREAM-INF
    • 5ffa7ea : Prevent MediaPlayerService::Client's use-after-free
    • 12e25a7 : Check NAL size before looking inside
    • 3024bd8 : libmedia: Fix null pointer crash in secure buffer allocation.
    • 6e73bdd : Fix use of uninitialized value in libmediadrm
    • 7206fc0 : AACExtractor: check bounds during seek
    • 775133a : Fix potential buffer overflow in mediadrmserver
    • 86141f9 : Fix use of uninitialized value in libmediadrm
    • 1617cbe : AACExtractor: check bounds during seek
    • 871412c : Fix potential buffer overflow in mediadrmserver
    • 4e091c6 : Apply input buffer validation also to AVC and MPEG4 encoders
    • 45425ee : httplive: check for malformed EXT-X-STREAM-INF
    • 2f07748 : camera: Drop pending preview for enableZsl shots
    • 9c8bf05 : IAudioPolicyService: Add attribute tags sanitization
    • 35650d3 : camera: Drop pending preview for enableZsl shots
    • f1652e1 : avoid 32-bit integer overflow
    • 646a18f : Access AVCDEC context after create fail check
    • 47d4b33 : Access HEVC context after create fail check
    • cf1e36f : SoftAVCDec: Handle zero length input without EOS
    • de7f50e : Add EFFECT_CMD_SET_PARAM parameter checking to Preset Reverb
    • dd3ca4d : Fix edge case when applying id3 unsynchronization
    • 7f7783d : Validate decryption key length to decrypt function.
    • 7adb5f5 : Protect against possible race conditions

  • platform/frameworks/base with 92 change(s)
    • aa868bc : Limit IsSeparateProfileChallengeAllowed to system callers
    • 052ed94 : Added missing permission check to isPackageDeviceAdminOnAnyUser.
    • e1dd453 : Permission Check For DPM.getPermittedAccessibilityServices
    • bf6f182 : [RESTRICT_AUTOMERGE]: Add cross user permission check - areNotificationsEnabledForPackage
    • fccc1d1 : DPM: Fix regression from I54376f60ac53451ace22965d331b47cd8c2e614e
    • 1af86e5 : RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters.
    • 2b17849 : Adding SUPL NI Emergency Extension Time
    • 7125bfe : FRP: save password quality in DPM.resetPassword
    • 1d4009a : Bluetooth: Check descriptors size in BluetoothHidDeviceAppSdpSettings
    • daec20e : RESTRICT AUTOMERGE: Added an app id security check in isAppForeground.
    • 798aba1 : RESTRICT AUTOMERGE: Recover shady content:// paths.
    • fbff0c7 : RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions."
    • f1ca40e : Verify number of Map entries written to Parcel
    • 84747b2 : RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions.
    • 462b867 : RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.
    • 15c4bdc : Revert "RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package."
    • 368faea : Fix crash during cursor moving on BiDi text
    • 0c4da9d : RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package.
    • f3709a8 : Optimise the hit test algorithm
    • 70346ba : Fix TrackInfo parcel write
    • 43631a4 : vpn: allow IPSec traffic through Always-on VPN
    • 44f897a : Resolve inconsistent parcel read in NanoAppFilter
    • d14a122 : Backport Prevent shortcut info package name spoofing
    • e87a7c9 : Fix DynamicRefTable::load security bug
    • 6ab2779 : ResStringPool: Prevenet boot loop from se fix
    • 0e50de3 : Make safe label more safe
    • dc76622 : WM: Prevent secondary display focus while keyguard is up
    • 51f7f6b : clearCallingIdentity before calling into getPackageUidAsUser
    • 959db06 : Nullcheck to fix Autofill CTS
    • 1449bd2 : Osu: fixed Mismatch between createFromParcel and writeToParcel
    • 11c2698 : Fix broken check for TelephonyManager#getForbiddenPlmns
    • 17552c3 : ResStringPool: Fix security vulnerability
    • d5e98d9 : RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-mr1-dev)
    • fda6995 : Use concrete CREATOR instance for parceling lists
    • 4708368 : Rework thumbnail cleanup
    • 1b6a6b0 : Proper autofill fix to let phone process autofill Settings activity.
    • fb5af33 : Fixed Security Vulnerability of DcParamObject
    • bafa72f : Update internal ViewPager's SavedState to match Support Library version
    • 7dd7459 : Verify last array's length in readFromParcel
    • 173d375 : Make sure apps cannot forge package name on AssistStructure used for Autofill.
    • 854ac60 : [RTT] ParcelableRttResults parcel code fix
    • 935288b : Fix VerifyCredentialResponse parcelling code
    • 0d63046 : Adjust URI host parsing to stop on \ character.
    • 9f4c9c1 : Check for null-terminator in ResStringPool::string8At
    • e6e4ebf : OutputConfiguration: Fix missing mIsShared in parcel read
    • 3e56e03 : Fix bad type for txPower in PeriodicAdvertisingReport serialization
    • db0f510 : fix isActiveNetworkMetered with VPNs
    • 0748edc : Handle onBindingDied in notification manager
    • fef1a3e : Relax Instant Apps Settings whitelist enforcement
    • 5a3d270 : [RTT] ParcelableRttResults parcel code fix
    • 09ba8fd : Fix VerifyCredentialResponse parcelling code
    • a4e80ee : Update diskstats to break out code & data.
    • 0b57631 : Adjust URI host parsing to stop on \ character.
    • a2a3654 : Check for null-terminator in ResStringPool::string8At
    • 47ebfaa : OutputConfiguration: Fix missing mIsShared in parcel read
    • b796cd3 : Fix bad type for txPower in PeriodicAdvertisingReport serialization
    • 4525320 : Use correct user id for permission check for instant foreground service
    • 433354b : Metrics wifi.proto for connected wifi score
    • 7cad2e5 : Fixed AUTOFILL_UI_LATENCY metric.
    • d88103d : Add metric for anomaly detection
    • dda9bbf : Add support for notification of LTE to WIFI handover for video calls.
    • bb3b817 : Turn default gradient into solid black
    • 133adf7 : [PASSPOINT] Add metrics to determine deployment/avail of Passpoint
    • 10bb5dd : Add assisted dialing properties to the framework.
    • 70854eb : [AWARE] Make PeerHandle comparable/hashable
    • 8d58c21 : Fix issues with TRON app transition logging
    • 90c6d6e : Adjust URI host parsing to stop on \ character.
    • 826fec9 : Check for null-terminator in ResStringPool::string8At
    • b0690cb : OutputConfiguration: Fix missing mIsShared in parcel read
    • 729ab20 : Fix bad type for txPower in PeriodicAdvertisingReport serialization
    • c29e6d9 : Use correct user id for permission check for instant foreground service
    • a1bf45d : Metrics wifi.proto for connected wifi score
    • b6494a9 : Relax Instant Apps Settings whitelist enforcement
    • 3ddda87 : Fixed AUTOFILL_UI_LATENCY metric.
    • 6f89a3e : OMS: Only allow trusted overlays to be registered.
    • ce69272 : Add metric for anomaly detection
    • 2d2ca97 : Proper autofill fix to let phone process autofill Settings activity.
    • 9342975 : OMS: Only allow trusted overlays to be registered.
    • 5a285e0 : Make sure apps cannot forge package name on AssistStructure used for Autofill.
    • fd51a3b : Add support for notification of LTE to WIFI handover for video calls.
    • db03f06 : Turn default gradient into solid black
    • e371506 : [PASSPOINT] Add metrics to determine deployment/avail of Passpoint
    • bbe032c : Add assisted dialing properties to the framework.
    • 37cf851 : [AWARE] Make PeerHandle comparable/hashable
    • e9b5381 : Fix issues with TRON app transition logging
    • 926c144 : Swap the order of synthetic password wrapping
    • 228112f : More dimming tweaks (for accessibility)
    • 4afa035 : Adjust Uri host parsing to use last instead of first @.
    • 42b2e41 : Throw OOME if Bitmap.nativeCreate fails
    • d64e959 : mtp: fix double free of thumbnail data
    • 4ec3b53 : Make sure top activity is stopped on sleep if paused.
    • b0bccc7 : Revert "Make sure top activity is stopped on sleep if paused."

  • platform/frameworks/ex with 3 change(s)
    • 1ba5c0d : Add bounds checking for transparency lookup
    • ebd849e : Add bounds checking for transparency lookup
    • ede8f95 : Skip composition of frames lacking a color map

  • platform/frameworks/minikin with 2 change(s)
    • ae7af07 : Fix OOB read due to integer overflow
    • 3056f04 : Fix OOB read due to integer overflow

  • platform/frameworks/native with 8 change(s)
    • 8197311 : Sanitize InputMessage before sending
    • 3aeaef6 : libui: add boundary check to GraphicBuffer::unflatten
    • 51db8c3 : Don't pad before calling writeInPlace().
    • f52855d : Increment when attempting to read protected Parcel Data
    • 772b684 : Disallow reading object data from Parcels with non-object reads
    • 215a16e : Fix resampling for multiple pointers
    • 90bddcf : Add bounds check to sensors direct channel creation
    • 16392a1 : surfaceflinger: make vsync injection more robust

  • platform/frameworks/opt/net/wifi with 6 change(s)
    • 46dcddb : Metrics for connected wifi score
    • 52b1985 : WifiMetricsTest fixes
    • b6c5459 : [PASSPOINT] Add metrics to determine deployment/avail of Passpoint
    • 75eb812 : WifiMetricsTest fixes
    • 218a962 : Metrics for connected wifi score
    • 9709abd : [PASSPOINT] Add metrics to determine deployment/avail of Passpoint

  • platform/frameworks/opt/telephony with 7 change(s)
    • ffe4fdf : Fixed invalid pdu issue
    • 8d9cccc : Add support for notification of midcall video call radio handovers.
    • e7db19e : Do not notify of WIFI to LTE handover for disconnected call.
    • d1623f4 : Increase waiting state timeout from 30s to 5min.
    • be5db63 : Add support for notification of midcall video call radio handovers.
    • 4b39dd3 : Do not notify of WIFI to LTE handover for disconnected call.
    • 28aec73 : Increase waiting state timeout from 30s to 5min.

  • platform/hardware/broadcom/wlan with 2 change(s)
    • ffe9a48 : net: wireless: bcmdhd: add string buffer bound check in wifi_set_epno_list
    • 4ece48f : net: wireless: bcmdhd: update bcm4354 FW (7.35.101.9)

  • platform/hardware/google/easel with 2 change(s)
    • 8a24ecc : pbcamera: Add nofityEaselFatalError
    • 2f3d8bf : pbcamera: Add nofityEaselFatalError

  • platform/hardware/interfaces with 2 change(s)
    • d945929 : cas: do not use hidl_memory if size is SIZE_MAX
    • d6e8f9d : cas: validate shared buffer size before using

  • platform/hardware/qcom/camera with 12 change(s)
    • 1d45291 : Adds experimental2017 vendor tags for motion detection enable and results.
    • 278f33f : Adds experimental2017 vendor tags for motion detection enable and results.
    • 33d0011 : QCamera3: Rename property to disable HDR+
    • 6ffa4f8 : QCamera2: HAL3: Support concurrent camera with Easel
    • bf43359 : QCamera: Add Easel FW version in EXIF
    • 30f4c9c : QCamera3: Notify HDR+ client about Easel error
    • 6d31b27 : Revert "Revert "QCamera3: Enable HDR+ by default""
    • e9cccc4 : QCamera3: Rename property to disable HDR+
    • 429a060 : QCamera2: HAL3: Support concurrent camera with Easel
    • ccdcca2 : QCamera: Add Easel FW version in EXIF
    • 2b4f863 : QCamera3: Notify HDR+ client about Easel error
    • 750311e : Revert "Revert "QCamera3: Enable HDR+ by default""

  • platform/hardware/qcom/display with 1 change(s)
    • 48bb313 : Fix Buffer Overflow in Vendor Service display.qservice

  • platform/hardware/qcom/media with 4 change(s)
    • ea11bb2 : mm-video-v4l2: Protect buffer access and increase input buffer size
    • 34572dc : mm-video-v4l2: Squash below changes
    • 3f70e6c : mm-video-v4l2: Protect buffer access and increase input buffer size
    • b539e1a : mm-video-v4l2: venc: Squash below changes

  • platform/libcore with 2 change(s)
    • ddb0973 : Fix hostname parsing in java.net.URLStreamHandler.
    • 19a746e : Add test that extra buffer space is ignored.

  • platform/packages/apps/Bluetooth with 1 change(s)
    • 49499e9 : Make sure server response doesn't exceed maximum allowable length

  • platform/packages/apps/CarrierConfig with 2 change(s)
    • eb6beb6 : Enable notification fo LTE to WIFI handover for Verizon.
    • 7f43690 : Enable notification fo LTE to WIFI handover for Verizon.

  • platform/packages/apps/CellBroadcastReceiver with 2 change(s)
    • 9bbdc23 : Added carrier customized ETWS test channel support
    • 15e22c8 : Added carrier customized ETWS test channel support

  • platform/packages/apps/Contacts with 1 change(s)
    • 27ab1f8 : Patch URI vulnerability in contact photo editing

  • platform/packages/apps/Email with 4 change(s)
    • 3f8d498 : AOSP/Email - Second part of the Security Vulnerability fix - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • 08dbcc8 : Disallow attaching files from our own EmailAttachmentProvider.
    • c3e0aba : Disallow attaching files from our own EmailAttachmentProvider.
    • e5b6a43 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/apps/Messaging with 1 change(s)
    • c905499 : Messaging ignores file URIs shared via intent

  • platform/packages/apps/PackageInstaller with 3 change(s)
    • 65706f8 : Ask for PIN when granting permissions in front of lock screen
    • 195b5a8 : RESTRICT AUTOMERGE: Trust session id only if started with ACTION_CONFIRM_INSTALL
    • 458b810 : RESTRICT AUTOMERGE: Always use safe labels

  • platform/packages/apps/Settings with 15 change(s)
    • 8919b6a : Do not allow draw on top for default sms picker.
    • f3d7603 : Hide quicksetting tile for dev options when it's turned off
    • 0d2bf81 : Disable changing lock when device is not provisioned.
    • e5b8cc1 : Delete obsolete activity alias for dev settings
    • 1f25d96 : Add metric id for anomaly fragments.
    • da599e4 : Update the way OMS records details about overlays
    • c38c740 : Update the way OMS records details about overlays
    • 99ce64c : Add metric id for anomaly fragments.
    • d5fa60d : Update asset for no search result image
    • 8269770 : Reword bluetooth confirmation dialog
    • dfa402e : Settings: Remove HAL HDR+ option
    • 921a007 : Revert "Revert "Settings: Enable HAL HDR+ by default""
    • 67f3b82 : Fix BluetoothPairingDialogTest to not expect device name
    • 13d46d7 : Settings: Remove HAL HDR+ option
    • 4d45be2 : Revert "Revert "Settings: Enable HAL HDR+ by default""

  • platform/packages/apps/UnifiedEmail with 5 change(s)
    • a835db7 : AOSP/Email - Fixed - Security Vulnerability - Email App: Malicious app is able to compose message with hidden attachments and bypass attachments path checks attaching private files from /data/data/com.android.email/*
    • 5779835 : Filter Attachment file name of forward slashes for .eml attachments.
    • dd5743f : Disallow attaching files from our own EmailAttachmentProvider.
    • e005985 : Disallow attaching files from our own EmailAttachmentProvider.
    • ea768e9 : Disallow attaching files from our own EmailAttachmentProvider.

  • platform/packages/providers/DownloadProvider with 1 change(s)
    • f1cced1 : Remove "public" download feature.

  • platform/packages/providers/MediaProvider with 1 change(s)
    • 9d11085 : Rework thumbnail cleanup

  • platform/packages/providers/TelephonyProvider with 2 change(s)
    • a13987e : Do not overwrite carrier/user edits with UNEDITED
    • 40f3be0 : Do not overwrite carrier/user edits with UNEDITED

  • platform/packages/providers/UserDictionaryProvider with 1 change(s)
    • e364485 : Check caller before accessing database

  • platform/packages/services/Telecomm with 4 change(s)
    • 350748e : Reset speakerphone at beginning and end of calls
    • bf0fd98 : Add assisted dialing feature propogation to call log.
    • fa5faef : Reset speakerphone at beginning and end of calls
    • 9fb6ea4 : Add assisted dialing feature propogation to call log.

  • platform/packages/services/Telephony with 5 change(s)
    • 172a7f4 : Fix potential NPE in EmergencyCallbackModeExitDialog.
    • f261b37 : Fix broken permission check for TelephonyManager#getForbiddenPlmns
    • 39cfeaf : Enhanced permission checks for TelephonyManager#endCall() API.
    • 9cba53c : Add assisted dialing logic to Telephony Connections.
    • b93ac84 : Add assisted dialing logic to Telephony Connections.

  • platform/system/bt with 69 change(s)
    • fe62126 : btm_proc_smp_cback: Don't access p_dev_rec if freed
    • 2225c66 : process_l2cap_cmd: Fix OOB
    • 9b67f1d : btm_ble_multi_adv: Check data length in HCI interface
    • 643292f : Add OOB check in avrc_pars_browse_rsp
    • 6bd0259 : Fix buffer overflow in btif_dm_data_copy
    • a533e0c : Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
    • d3c7b86 : Fix possible OOB read
    • b28b4fb : Check data length when parsing AVRCP vendor specific command responses
    • 4dcb1ef : Fix a wrong check in rfc_parse_data
    • d0450d0 : Add bound check for rfc_parse_data
    • 80f0f0d : Fix build failure in stack/rfcomm/rfc_ts_frames.c
    • 2ac52bb : Add packet length checks in mca_ccb_hdl_req
    • df41965 : Checks the SMP length to fix OOB read
    • c9aba1b : Add packet length check in smp_proc_master_id
    • 1c5192c : Add missing AVRCP message length checks inside avrc_msg_cback
    • 6090e5b : Check packet length in bta_av_proc_meta_cmd
    • 9f96434 : Fix OOB read in avrc_ctrl_pars_vendor_rsp
    • 2b85891 : Check remaining frame length in rfc_process_mx_message
    • eecef97 : Fix copy length calculation in sdp_copy_raw_data
    • 31dc2d4 : HID Host: Check L2CAP packet data length
    • 7f4270c : Add packet length checks in l2cble_process_sig_cmd
    • cb03ab0 : Don't use Address after it was deleted
    • 6c69b51 : HFP: Fix out of bound access in phone number processing
    • dcb5656 : SDP: return error on offset bigger than atribute length
    • 352afd8 : HIDD: Prevent integer underflow in bta_hd_act
    • c948737 : Add BT_HDR length check for received AVCTP packets
    • dd77b7d : Add packet length check for received AVCTP packets
    • 9d6ae30 : Add checks whether the AVDTP element data length is valid
    • a531891 : BNEP: Fix OOB access in bnep_data_ind
    • 0dd3d35 : RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
    • ae32b52 : RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)
    • f79e649 : Decrease length after reading from array in process_service_attr_req
    • 3324f4a : GATT: Handle too short Error Response PDU
    • 1db856a : Add PDU size checks in process_service_search_attr_rsp
    • b545306 : Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
    • 924e573 : Get rid of BTM_IS_PUBLIC_BDA
    • c5a7986 : PAN: Always allocate in bta_pan_data_buf_ind_cback
    • eb8771e : AVRCP: Check number of text attribute values in response
    • 99c17db : AVRCP: Set maximum string length when copying to buffer
    • acb8b71 : AVRCP: Initialize buffer for attribute values to be written to
    • 2c3a82a : AVRCP: Check number of text attributes in response
    • 8feb740 : AVRCP: Check the number of text value attributes requested
    • 2eb7266 : SDP: Check p_req_end before reading from p_req
    • e4ec79b : AVRCP: Check number of text attribute values in response
    • 6f3ddf3 : AVRCP: Set maximum string length when copying to buffer
    • 1696f97 : AVRCP: Initialize buffer for attribute values to be written to
    • 6ecbbc0 : AVRCP: Check number of text attributes in response
    • 57dc596 : AVRCP: Check the number of text value attributes requested
    • 72b1ceb : SDP: Check p_req_end before reading from p_req
    • bb54389 : SDP: Include the offset in sdp_disc_server_rsp
    • 3ddf24d : AVRCP: Check the number of text attributes requested
    • 9711598 : Remove memory reference to invalid mem in error log
    • 84e2ba5 : BNEP: Check received frame type
    • ee4d866 : PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
    • 3eb33a2 : Fix unexpected behavior in reading BNEP packets
    • 81b5770 : Fix unexpected behavior in SDP
    • 12395ce : Allocate/free the SDP connection timers only during stack startup/shutdown
    • 3493912 : SDP: Pass the bounds to process_service_*_rsp
    • 1a78560 : Removed alarm callback execution statistics
    • 1313abd : SDP: Include the offset in sdp_disc_server_rsp
    • 2f2043f : AVRCP: Check the number of text attributes requested
    • 49a57cd : Remove memory reference to invalid mem in error log
    • ae12fc4 : BNEP: Check received frame type
    • 08e6833 : PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
    • a50e704 : Fix unexpected behavior in reading BNEP packets
    • f0edf65 : Fix unexpected behavior in SDP
    • ec16f7d : Allocate/free the SDP connection timers only during stack startup/shutdown
    • 0627e76 : SDP: Pass the bounds to process_service_*_rsp
    • 935ee77 : Removed alarm callback execution statistics

  • platform/system/connectivity/wificond with 1 change(s)
    • 94e317d : wificond: Mark scanner impl instance invalid

  • platform/system/core with 3 change(s)
    • 6b121de : Export maximum number of fds/ints in a native_handle.
    • 234fb03 : String16: remove integer overflows
    • b713352 : libnetutil: Check dhcp respose packet length

  • platform/system/hwservicemanager with 2 change(s)
    • f605f7d : ACL based on getCallingSid
    • e1b4a88 : get selinux context on add call arrival.

  • platform/system/libhidl with 4 change(s)
    • 5b61fcc : Add gServiceSidMap.
    • 15a9cf0 : hidl_memory: fail on transfer if size SIZE_MAX
    • dfd88f1 : mapMemory: Do not map if size is SIZE_MAX
    • a4d0252 : canCastInterface: always return true for IBase

  • platform/system/libhwbinder with 2 change(s)
    • 01a54e6 : getCallingSid: get calling security context
    • 3f4b3cd : Deserialize a native_handle safely.

  • platform/system/media with 1 change(s)
    • e770e37 : Camera metadata: Check source metadata size

  • platform/system/nfc with 24 change(s)
    • 15f5b3a : Revert "Add null check in nfa_ce_deactivate_ntf"
    • 24f94cc : Add null check in nfa_ce_deactivate_ntf
    • 35c73eb : Fix heap overflow in nfa_rw_store_ndef_rx_buf
    • 199f5ba : Prevent OOB read in rw_i93_process_sys_info()
    • a8943cd : Prevent OOB error in rw_i93_sm_read_ndef()
    • 1189df1 : Prevent OOB error in rw_i93_sm_update_ndef()
    • fab3fcc : Prevent OOB error in rw_i93_sm_detect_ndef()
    • efc7bda : Prevent integer underflow in rw_t3t_act_handle_check_ndef_rsp()
    • 5d993d3 : Prevent integer underflow in rw_t2t_handle_tlv_detect_rsp()
    • dd7abfa : Prevent OOB read in rw_t3t_act_handle_ndef_detect_rsp()
    • 5b4fbce : Fix heap overflow in NFA_SendRawFrame()
    • 5945a0e : Prevent Out of bounds write in rw_t3t_handle_get_sc_poll_rsp()
    • 32d11db : Prevent Integer Overflow in rw_t3t_act_handle_check_rsp()
    • a77ddca : Prevent OOB read in rw_t3t_update_block()
    • 0aaa23a : Prevent Out of bounds read in ce_t4t.cc
    • d2409f3 : Fix CVEs in llcp_util.cc
    • 318ed19 : Prevent Out of bound error in llcp_dlc_proc_rr_rnr_pdu()
    • 29cf211 : Prevent OOB error in nfc_ncif_proc_get_routing()
    • a48b7f0 : Prevent Out of bounds read/write in nfc_ncif_set_config_status
    • a5ee71d : Improve AGF PDU integrity check to prevent OOB error
    • 9af82ae : Prevent Out of bounds read in llcp_dlc
    • e9caca1 : Prevent Out of bounds read in llcp code part 2
    • 4a9f1c3 : Prevent OOB error for T2T read/writes
    • 95b7a65 : Prevent Out of bounds read in llcp code

  • platform/system/security with 2 change(s)
    • dbb64f6 : Fixing bug in security vulnerability patch
    • 65423d0 : Fixing security vuln by tightening race condition window.

  • platform/system/sepolicy with 2 change(s)
    • d9339f1 : crash_dump: disallow ptrace of TCB components
    • d58aa86 : Add drmserver permission for ephemeral apps

  • platform/system/tools/hidl with 2 change(s)
    • a47dd8a : Fillout requesting SID.
    • 8539fc8 : Explicitly check processes are oneway

  • platform/system/update_engine with 4 change(s)
    • c1a0a40 : Add SafetyNet logging for payload timestamp error.
    • 5ed4f4c : Add maximum timestamp to the payload.
    • 55b7e08 : Add SafetyNet logging for payload timestamp error.
    • 8c3c80c : Add maximum timestamp to the payload.