Change-Id: Ib2bcaff2de07f711478c0f75ab1b9c837774422c

Android 8.1.0 Release 50 (OPM7.181105.004)

* tag 'android-8.1.0_r50':
  RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions."
  Verify number of Map entries written to Parcel
  RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions.
  RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission.

Change-Id: I0c42757d48299ffe3b2a60391a67f0c8f2e466bb

Change-Id: I0927eb07d26f15b36d057407eaee9cadad64309c

Change-Id: I2eca5db1cdf99d469184d875f413f39b861ddc00

Change-Id: Ib8c917cdd2cf986941432e1e2dfec90d706c1377

Change-Id: I56853b5829cfa1ba471d298c918a240efcf0438e

Change-Id: I399f1df187d29f8c2b4d3998b482fce9e0960c8f

Change-Id: If2635757423f54da65d7dcb1230180e00b803dd5

Change-Id: I2ee5d65006ff22dfa381aae50e5757b8e7596e91

Android 8.1.0 release 47

* tag 'android-8.1.0_r47':
  Revert "RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package."
  Fix crash during cursor moving on BiDi text
  RESTRICT AUTOMERGE: Revoke permissions defined in a to-be removed package.
  DO NOT MERGE. Extend SQLiteQueryBuilder for update and delete.
  DO NOT MERGE. Execute "strict" queries with extra parentheses.
  DO NOT MERGE. Persistable Uri grants still require permissions.
  Optimise the hit test algorithm

Change-Id: I5a266009dbb7a5d0da9811c5b129138af2b4cce0

Change-Id: Ida047fe37543c6cedb5bd8fcea026f05afea46b5

RESTRICT AUTOMERGE: Revert "RESTRICT AUTOMERGE: Check both self and shared user id package for requested permissions."

This reverts commit 05dc947c.

Reason for revert: Not a security fix and the security fix needs this cl is reverted.
Bug: 114365189

Change-Id: Id667b1c4d1a1af27837f553d7461283b22e5e41f
(cherry picked from commit bb4dcd10)

Merge cherrypicks of [4997814, 4997815, 4997816, 4996950, 4996344, 4997836, 4997837, 4997838, 4998071, 4998091, 4998092, 4998093] into oc-m7-release

Change-Id: Ia72b0b0a4e2dfb3176853b3e1feb38e1eefddfa0

Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.

Fixes: 112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest

Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
(cherry picked from commit 057a01d1)

Bug: 111752150
Test: Manual local test
Change-Id: I0b48a20525f87fc6f5ab8d7e70aa7d11cd747f97
(cherry picked from commit 05dc947c)

1: Cherry-pick ag/4067454 - Setting PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
updateNonSystemOverlayWindowsVisibilityIfNeeded on relayoutWindow

2: Cherry-pick ag/3650369 - If PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS changed on
relayoutWindow() then updateNonSystemOverlayWindowsVisibilityIfNeeded

3: Add permissions to SystemUI to allow it to hide non-system overlays

Bug: 34170870
Test: manual (see bug for poc)
Change-Id: I57cb0f390d9a78e721c5ddce49a377d385002753
(cherry picked from commit 40f7b583)

Change-Id: Idd989acb181b06f9c828fd740a9a20bfe6881bba

Android 8.1.0 Release 46 (OPM6.171019.030.K1)

* tag 'android-8.1.0_r46': (23 commits)
  Fix TrackInfo parcel write
  vpn: allow IPSec traffic through Always-on VPN
  Resolve inconsistent parcel read in NanoAppFilter
  Backport Prevent shortcut info package name spoofing
  Fix DynamicRefTable::load security bug
  ResStringPool: Prevenet boot loop from se fix
  Make safe label more safe
  WM: Prevent secondary display focus while keyguard is up
  DO NOT MERGE: Add unit tests to ensure VPN meteredness
  DO NOT MERGE: Fix ConnectivityController meteredness checks
  clearCallingIdentity before calling into getPackageUidAsUser
  Nullcheck to fix Autofill CTS
  Osu: fixed Mismatch between createFromParcel and writeToParcel
  DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name
  Fix broken check for TelephonyManager#getForbiddenPlmns
  DO NOT MERGE (O) Revoke permision when group changed
  ResStringPool: Fix security vulnerability
  RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-mr1-dev)
  Use concrete CREATOR instance for parceling lists
  Rework thumbnail cleanup
  ...

Change-Id: I1376977831bf2ab308765234b9ae4f3f7da3ee8b

* The action(Context, int, boolean) call is deprecated and
  links to the non-static method action(int, boolean)
* To use that, we need an instance variable of MetricsLogger
* There are other tiles using the deprecated calls as well but
  those are maintained by aosp so hopfully updated by them at
  next source drop

Change-Id: I25358a9cf70c7a721c66ffe90d315a2ffcd2abcc

* Opening the detail view should enable profiles
* Disabling the switch should also close the details
* The tile's title should just be "System profiles"
  when disabled, we also don't say "Wifi off" on wifi tile
* Set dualTarget to true so the tile indicates expandability

Change-Id: I4eb463bc84ad78fcabb8acef1829c990ab04f19b

Contains also commit by Joey Rizzoli:

SystemUI: Profiles tile should require authentication

A profile with the option to disable secure lockscreen could be
used to bypass the lockscreen security.
Require the user to unlock their device when tapping on the profile
quick tile.

BUGBASH-1095

Change-Id: I2a438af301212241533b969bf2c6c8390ef09cbc

Change-Id: I5407f09b1990560b4908fd78be454f3e57d7a363

This reverts commit 82107644.

Reason for revert: b/111752150

Change-Id: I035cfcacaeaf798b8aea7fe62376624d06c64388
(cherry picked from commit 9cd13a2bd5ca2546da7a15182b0ddf1a81f2e7da)

The codec and container format are already supported, but not in that
combination. Simply add the file extension as a type of Ogg file (which
it is).

Change-Id: Ia9134a8d1205f73da12f579b3ad62367b2b8d88e
See: https://issuetracker.google.com/issues/37054258

Change-Id: I70bf5793e485dfcad44f1c7bbedf8c9f1d19105b

Merge cherrypicks of [4787603, 4787134, 4787604, 4786834, 4787135, 4787488, 4786835, 4787489, 4787490, 4787548, 4787549, 4787550, 4787551, 4787552, 4787553, 4787502, 4786836, 4785839, 4787620, 4787621, 4787622, 4787623, 4787624, 4787625, 4787626, 4787627, 4787628] into oc-m7-release

Change-Id: I601b76d218a5f03fb1506cbd22a2c9d2cec85469

The crash was introduced by Ib66ef392c19c937718e7101f6d48fac3abe51ad0
The root cause of the crashing is requesting out-of-line access for the
horizontal width. This invalid access is silently ignored by
TextLine#measure() method but new implementation end up with out of
bounds access.

To makes behavior as old implementation, calling getHorizontal instead
of accessing measured result array.

Bug: 78464361, 111580019
Test: Manually done
Change-Id: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
(cherry picked from commit 960647d582911ae7ab8b9491097898e6c313aaf1)
Merged-In: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
(cherry picked from commit d30c55e3)

Bug: 67319274
Test: run cts-dev --module CtsPermissionTestCases --test android.permission.cts.RemovePermissionTest#permissionShouldBeRevokedIfRemoved
Change-Id: I2771c048e13529e168121c5a5501aa26fc21e30f
(cherry picked from commit 82107644)

Developers often accept selection clauses from untrusted code, and
SQLiteQueryBuilder already supports a "strict" mode to help catch
SQL injection attacks.  This change extends the builder to support
update() and delete() calls, so that we can help secure those
selection clauses too.

Bug: 111085900
Test: atest packages/providers/DownloadProvider/tests/
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Change-Id: Ib4fc8400f184755ee7e971ab5f2095186341730c
Merged-In: Ib4fc8400f184755ee7e971ab5f2095186341730c
(cherry picked from commit 09d49531)

SQLiteQueryBuilder has a setStrict() mode which can be used to
detect SQL attacks from untrusted sources, which it does by running
each query twice: once with an extra set of parentheses, and if that
succeeds, it runs the original query verbatim.

This sadly doesn't catch inputs of the type "1=1) OR (1=1", which
creates valid statements for both tests above, but the final executed
query ends up leaking data due to SQLite operator precedence.

Instead, we need to continue compiling both variants, but we need
to execute the query with the additional parentheses to ensure
data won't be leaked.

Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/SQLiteQueryBuilderTest.java
Bug: 111085900
Change-Id: I6e8746fa48f9de13adae37d2990de11c9c585381
Merged-In: I6e8746fa48f9de13adae37d2990de11c9c585381
(cherry picked from commit 5a55a72f)

When FLAG_GRANT_PERSISTABLE_URI_PERMISSION is requested, we still
need to check permissions between the source and target packages,
instead of shortcutting past them.

The spirit of the original change is remains intact: if the caller
requested FLAG_GRANT_PERSISTABLE_URI_PERMISSION, then we avoid
returning "-1", which would prevent the grant data structure from
being allocated.

Bug: 111934948
Test: atest android.appsecurity.cts.AppSecurityTests
Change-Id: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
Merged-In: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
(cherry picked from commit 05519b7e)

Layout#getOffsetForHorizontal was running in O(n^2) time, where n is the
length of the current line. The method is used when a touch event
happens on a text line, to compute the cursor offset (and the character)
where it happened. Although this is not an issue in common usecases,
where the number of characters on a line is relatively small, this can
be very inefficient as a consequence of Unicode containing 0-width
(invisible) characters. Specifically, there are characters defining the
text direction (LTR or RTL), which cause our algorithm to touch the
worst case quadratic runtime. For example, a person is able to send a
message containing a few visible characters, and also a lot of these
direction changing invisible ones. When the receiver touches the message
(causing the Layout#getOffsetForHorizontal method to be called), the
receiver's application would become not responsive.

This CL optimizes the method to run in O(n) worst case. This is achieved
by computing the measurements of all line prefixes at first, which can
be done in a single pass. Then, all the prefix measurement queries will
be answered in O(1), rather than O(n) as it was happening before.

Bug: 79215201
Test: manual testing
Change-Id: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
(cherry picked from commit 69b589b2)

Change-Id: Ieff3504baf3d13c77d06fcde87d5ac56d2586194

Merge cherrypicks of [4741663, 4741664, 4741665, 4741666, 4743080, 4743081, 4743082, 4743083, 4741262, 4741263, 4741264, 4741265, 4741266, 4741667, 4743084, 4741242, 4741243, 4741741, 4741742, 4741743, 4741744, 4741822, 4743085, 4741668, 4741338, 4743055, 4743056, 4743070, 4743073, 4743075, 4743076, 4743078, 4743079, 4743161, 4743162, 4743164, 4743165, 4743167, 4743168, 4743169, 4743170, 4741681, 4741682, 4741683, 4741684, 4741685, 4741686, 4741687, 4741688, 4741689, 4741690, 4741691, 4741692, 4741693, 4741694, 4741695, 4741696, 4741697, 4741698, 4741699, 4743240, 4743241, 4743242, 4743243, 4741745, 4741823, 4741824, 4741825, 4741267, 4741268, 4743244, 4743280, 4743281, 4743224, 4743203, 4743204, 4743205, 4741746, 4741747, 4743245, 4741826, 4741827, 4741828, 4741829, 4741748, 4741749, 4741750, 4743233, 4743282, 4741244, 4741245, 4741246, 4741247, 4743206, 4743207, 4743208, 4743209, 4743210, 4743211, 4743212, 4743213, 4743214, 4743215, 4743216, 4743217, 4743218, 4743219, 4743360, 4743361, 4743362, 4743363, 4743364, 4743365, 4743366, 4743367, 4743368, 4743369, 4743370, 4743371, 4743372, 4743373, 4743374, 4743375, 4743376, 4743377, 4743283, 4743284, 4741830, 4742501, 4743246, 4743086, 4743087, 4743378, 4743379, 4741751] into sparse-4749909-L04200000199131547

Change-Id: I1492186998ee5230a67cd2efaf8c68d8b008cb7e

Bug: 77600398
Change-Id: Ia316f1c5dc4879f6851fdb78fe8b9039579be7bc
(cherry picked from commit 0d2dc943)