***************************************************************
***************************************************************
  46 file changed, 871 insertions(+), 215 deletions(-)
***************************************************************
***************************************************************
========platform/build between android-8.1.0_r33..android-8.1.0_r41=========
 core/build_id.mk         | 2 +-
 core/version_defaults.mk | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
2b808db05 "Update Platform Security String to 2018-07-05 for oc-mr1-dev Bug:79883349" (cherry picked from commit d83c28410550e48b162c2b7414db9a4627aee013)
61c0e639f DO NOT MERGE: Updating security string for oc-mr1-dev to 2018-06-05

========device/huawei/angler-kernel between android-8.1.0_r33..android-8.1.0_r41=========
 Image.gz-dtb | Bin 11136436 -> 11135103 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
6176612 Merge cherrypicks of [4195294, 4195296, 4195440, 4195441, 4186165, 4186166, 4186580, 4195442, 4195443, 4186193, 4186194, 4186195, 4186196, 4186607, 4195444, 4195297, 4186608, 4186609, 4186610, 4186611, 4186612, 4186613, 4186614, 4186649, 4186650, 4186651, 4186652, 4186653, 4186654, 4186655, 4186656, 4186657, 4195518, 4195519, 4195520, 4195521, 4195522, 4186406, 4186407, 4186408, 4195523, 4195558, 4195559, 4186197, 4195524, 4186615, 4195445, 4195446, 4186829, 4186830, 4186831, 4186832, 4186833, 4186834, 4186835, 4186836, 4186837, 4195578, 4195579, 4195580, 4195581, 4195447, 4186581, 4195448, 4195560] into sparse-4749909-L06000000176800346

========device/lge/bullhead-kernel between android-8.1.0_r33..android-8.1.0_r41=========
 Image.gz-dtb | Bin 10826383 -> 10827390 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
f8887e8 Merge cherrypicks of [4195294, 4195296, 4195440, 4195441, 4186165, 4186166, 4186580, 4195442, 4195443, 4186193, 4186194, 4186195, 4186196, 4186607, 4195444, 4195297, 4186608, 4186609, 4186610, 4186611, 4186612, 4186613, 4186614, 4186649, 4186650, 4186651, 4186652, 4186653, 4186654, 4186655, 4186656, 4186657, 4195518, 4195519, 4195520, 4195521, 4195522, 4186406, 4186407, 4186408, 4195523, 4195558, 4195559, 4186197, 4195524, 4186615, 4195445, 4195446, 4186829, 4186830, 4186831, 4186832, 4186833, 4186834, 4186835, 4186836, 4186837, 4195578, 4195579, 4195580, 4195581, 4195447, 4186581, 4195448, 4195560] into sparse-4749909-L06000000176800346

========platform/external/bouncycastle between android-8.1.0_r33..android-8.1.0_r41=========
 .../java/org/bouncycastle/crypto/generators/RSAKeyPairGenerator.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
129a204 Fix probable prime confidence calculations.

========platform/external/libavc between android-8.1.0_r33..android-8.1.0_r41=========
11b0281 Encoder: Return error for odd resolution
8253d13 Decoder: Modify setting short term reference field flag

========platform/external/libhevc between android-8.1.0_r33..android-8.1.0_r41=========
 common/ihevc_defs.h            |  2 +-
 decoder/ihevcd_parse_headers.c | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)
e46e599 Return error for invalid st/lt sps parameters
7eb4618 Return error for invalid sps sub layers parameters
3d6b328 Add limits check for depth hierarchy sps parameters
1d39c5f Return error for invalid reorder parameter

========platform/external/libmpeg2 between android-8.1.0_r33..android-8.1.0_r41=========
76199d0 Adding Check For Number of Skip MBs

========platform/external/libvpx between android-8.1.0_r33..android-8.1.0_r41=========
d4d13bc DO NOT MERGE | libvpx: cherry pick fix to OOB of mv_cost index.

========platform/external/sonivox between android-8.1.0_r33..android-8.1.0_r41=========
974d3ab sonivox: fix hang caused by bad meta-event

========platform/frameworks/av between android-8.1.0_r33..android-8.1.0_r41=========
 drm/libmediadrm/CryptoHal.cpp                      | 25 ++++++++--
 media/libmedia/include/media/CryptoHal.h           | 15 +++++-
 media/libstagefright/ItemTable.cpp                 |  3 +-
 media/libstagefright/id3/ID3.cpp                   | 21 ++++++--
 services/oboeservice/AAudioServiceEndpoint.h       |  4 +-
 services/oboeservice/AAudioServiceStreamBase.cpp   | 57 +++++++++++++---------
 services/oboeservice/AAudioServiceStreamBase.h     |  5 ++
 services/oboeservice/AAudioServiceStreamMMAP.cpp   | 55 ++++++++++++++++-----
 services/oboeservice/AAudioServiceStreamShared.cpp | 29 +++++++----
 9 files changed, 159 insertions(+), 55 deletions(-)
fa12c0fcd Speed up id3v2 unsynchronization
d3860e51b Fix security vulnerability in CryptoHal
46bd7c682 aaudio: use weak pointer to prevent UAF
7306d8b37 Add minimum size check for ImageGrid atom
e8b28a87b Sanitize effect descriptors for AudioPolicyService binder calls.
0182a2cba Add check preventing div0 issue
ed964f613 Init gain config to prevent uninit leak.

========platform/frameworks/base between android-8.1.0_r33..android-8.1.0_r41=========
 .../IAccessibilityServiceConnection.aidl           |  10 +-
 .../appwidget/AppWidgetManagerInternal.java        |  36 +++
 core/java/android/bluetooth/BluetoothDevice.java   |   6 +-
 core/java/android/view/ViewRootImpl.java           |   1 +
 .../AccessibilityInteractionClient.java            | 118 ++++++---
 .../view/accessibility/AccessibilityManager.java   |   5 +-
 .../view/accessibility/IAccessibilityManager.aidl  |   2 +-
 .../Osu/src/com/android/hotspot2/flow/OSUInfo.java |  12 +-
 .../accessibility/AccessibilityManagerService.java | 291 +++++++++++++++------
 .../server/appwidget/AppWidgetServiceImpl.java     |  25 ++
 .../java/android/telephony/TelephonyManager.java   |   2 +-
 .../com/android/internal/telephony/ITelephony.aidl |   4 +-
 12 files changed, 383 insertions(+), 129 deletions(-)
45b074fab45 clearCallingIdentity before calling into getPackageUidAsUser
fc7eb8e471b Nullcheck to fix Autofill CTS
5c23facbf80 Osu: fixed Mismatch between createFromParcel and writeToParcel
a6fe2cd18c7 DO NOT MERGE Truncate newline and tab characters in BluetoothDevice name
7e6840ddfe0 Fix broken check for TelephonyManager#getForbiddenPlmns
cf37a360173 DO NOT MERGE (O) Revoke permision when group changed
7fa9b75fc24 ResStringPool: Fix security vulnerability
e6655cb8a78 RESTRICT AUTOMERGE: Prevent reporting fake package name - framework (backport to oc-mr1-dev)
bd9207720cc Use concrete CREATOR instance for parceling lists
786da80d635 Rework thumbnail cleanup
468c8f30a9a DO NOT MERGE - fix AFM.getComponentNameFromContext()
ce15fb3f0bf Proper autofill fix to let phone process autofill Settings activity.
ead1315d7e4 Make sure apps cannot forge package name on AssistStructure used for Autofill.

========platform/frameworks/minikin between android-8.1.0_r33..android-8.1.0_r41=========
 libs/minikin/FontUtils.cpp       |  16 ++++--
 libs/minikin/FontUtils.h         |   2 +-
 tests/unittest/Android.bp        |   1 +
 tests/unittest/FontUtilsTest.cpp | 116 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 129 insertions(+), 6 deletions(-)
62e88b9 Fix fvar table size validation logic - DO NOT MERGE

========platform/frameworks/native between android-8.1.0_r33..android-8.1.0_r41=========
 libs/binder/Parcel.cpp              | 89 ++++++++++++++++++++++++++++++++++++-
 libs/binder/include/binder/Parcel.h |  2 +
 2 files changed, 90 insertions(+), 1 deletion(-)
ff2171f24 Don't pad before calling writeInPlace().
ab1fb955a Increment when attempting to read protected Parcel Data
c4b7338b1 Disallow reading object data from Parcels with non-object reads

========platform/frameworks/opt/telephony between android-8.1.0_r33..android-8.1.0_r41=========
452ca5982 Fixed invalid pdu issue

========platform/hardware/interfaces between android-8.1.0_r33..android-8.1.0_r41=========
 cas/1.0/default/DescramblerImpl.cpp | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
9a731270 cas: do not use hidl_memory if size is > SIZE_MAX
aa633497 cas: fix UAF in descrambler -- DO NOT MERGE

========platform/packages/apps/Bluetooth between android-8.1.0_r33..android-8.1.0_r41=========
 jni/com_android_bluetooth_gatt.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
98ff9fe7d Make sure server response doesn't exceed maximum allowable length

========platform/packages/providers/MediaProvider between android-8.1.0_r33..android-8.1.0_r41=========
831c507 Rework thumbnail cleanup

========platform/packages/providers/UserDictionaryProvider between android-8.1.0_r33..android-8.1.0_r41=========
24bc3d8 Check caller before accessing database

========platform/packages/services/Telephony between android-8.1.0_r33..android-8.1.0_r41=========
 src/com/android/phone/PhoneInterfaceManager.java | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)
9a4a9970c DO NOT MERGE Add Safety Net Log for getForbiddenPlmns security hole
8ca72cfdf Fix broken permission check for TelephonyManager#getForbiddenPlmns

========platform/system/bt between android-8.1.0_r33..android-8.1.0_r41=========
 btif/src/btif_rc.cc        | 7 +++++++
 btif/src/btif_storage.cc   | 4 ++++
 stack/avrc/avrc_pars_ct.cc | 4 ++++
 stack/l2cap/l2c_ble.cc     | 5 +++++
 stack/smp/smp_main.cc      | 8 ++++++++
 5 files changed, 28 insertions(+)
f1c2c8608 Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
8e702ed35 DO NOT MERGE: Check number of attributes before writing to a buffer
97eb2f9cf DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE
605ebb336 DO NOT MERGE Prevent stack overflow in btif_storage
718aa1b3e DO NOT MERGE SMP: Validate remote elliptic curve points
2feada4e3 DO NOT MERGE Add bounds check for BNEP_Write
2da89e135 DO NOT MERGE Initialize local variable in gatts_process_read_by_type_req
70d86c36a DO NOT MERGE Fix OOB read in process_l2cap_cmd
58affa3d0 PAN: Always allocate in bta_pan_data_buf_ind_cback
6d64c85a6 DO NOT MERGE Handle bad packet length in gatts_process_read_req
401bc7b29 DO NOT MERGE Drop LE CoC fragments when frame size is too big
06dbf98ca DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
ae94a4c33 DO NOT MERGE Fix unexpected behavior in smp_sm_event

========platform/system/libhidl between android-8.1.0_r33..android-8.1.0_r41=========
 libhidlmemory/mapping.cpp                     | 10 ++++++++++
 transport/memory/1.0/default/Android.bp       |  1 +
 transport/memory/1.0/default/AshmemMapper.cpp | 13 +++++++++++++
 3 files changed, 24 insertions(+)
e1302cf mapMemory: Do not map if size is > SIZE_MAX

========platform/system/media between android-8.1.0_r33..android-8.1.0_r41=========
 camera/src/camera_metadata.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
12df4b05 Merge commit 'f9e3022c474619c69a46ae7dbe11b5b531dbad57' into am-0d58d39a-0539-474e-b9c8-36cc976d15e8