6 files changed, 102 insertions, 2 deletions

diff --git a/core/java/android/app/OWNERS b/core/java/android/app/OWNERS
index 1200b4b45712..adeb0451cd43 100644
--- a/core/java/android/app/OWNERS
+++ b/core/java/android/app/OWNERS
@@ -94,6 +94,9 @@ per-file IEphemeralResolver.aidl = file:/services/core/java/com/android/server/p
 per-file IInstantAppResolver.aidl = file:/services/core/java/com/android/server/pm/OWNERS
 per-file InstantAppResolveInfo.aidl = file:/services/core/java/com/android/server/pm/OWNERS
 
+# Performance
+per-file PropertyInvalidatedCache.java = file:/PERFORMANCE_OWNERS
+
 # Pinner
 per-file pinner-client.aconfig = file:/core/java/android/app/pinner/OWNERS
 
diff --git a/core/java/android/os/OWNERS b/core/java/android/os/OWNERS
index 6d6757d5afd1..7d3076d6611f 100644
--- a/core/java/android/os/OWNERS
+++ b/core/java/android/os/OWNERS
@@ -106,6 +106,9 @@ per-file SystemConfigManager.java = file:/PACKAGE_MANAGER_OWNERS
 # ProfilingService
 per-file ProfilingServiceManager.java = file:/PERFORMANCE_OWNERS
 
+# Performance
+per-file IpcDataCache.java = file:/PERFORMANCE_OWNERS
+
 # Memory
 per-file OomKillRecord.java = file:/MEMORY_OWNERS
 
diff --git a/core/java/android/view/SurfaceControlRegistry.java b/core/java/android/view/SurfaceControlRegistry.java
index 127d4a70a564..b7f3ee337a03 100644
--- a/core/java/android/view/SurfaceControlRegistry.java
+++ b/core/java/android/view/SurfaceControlRegistry.java
@@ -71,7 +71,7 @@ public class SurfaceControlRegistry {
             }
             // Sort entries by time registered when dumping
             // TODO: Or should it sort by name?
-            entries.sort((o1, o2) -> (int) (o1.getValue() - o2.getValue()));
+            entries.sort((o1, o2) -> Long.compare(o1.getValue(), o2.getValue()));
             final int size = Math.min(entries.size(), limit);
 
             pw.println("SurfaceControlRegistry");
diff --git a/core/java/com/android/internal/widget/OWNERS b/core/java/com/android/internal/widget/OWNERS
index cf2f202a03ac..2d1c2f032d16 100644
--- a/core/java/com/android/internal/widget/OWNERS
+++ b/core/java/com/android/internal/widget/OWNERS
@@ -3,7 +3,9 @@ per-file RecyclerView.java = mount@google.com
 per-file ViewPager.java = mount@google.com
 
 # LockSettings related
-per-file *LockPattern* = file:/services/core/java/com/android/server/locksettings/OWNERS
+per-file LockPatternChecker.java = file:/services/core/java/com/android/server/locksettings/OWNERS
+per-file LockPatternUtils.java = file:/services/core/java/com/android/server/locksettings/OWNERS
+per-file LockPatternView.java = file:/packages/SystemUI/OWNERS
 per-file *LockScreen* = file:/services/core/java/com/android/server/locksettings/OWNERS
 per-file *Lockscreen* = file:/services/core/java/com/android/server/locksettings/OWNERS
 per-file *LockSettings* = file:/services/core/java/com/android/server/locksettings/OWNERS
diff --git a/native/graphics/jni/Android.bp b/native/graphics/jni/Android.bp
index 8f16f762f7ef..0fb3049f63d8 100644
--- a/native/graphics/jni/Android.bp
+++ b/native/graphics/jni/Android.bp
@@ -127,3 +127,30 @@ cc_fuzz {
         "-DPNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR",
     ],
 }
+
+cc_fuzz {
+    name: "imagedecoder_heif_fuzzer",
+    defaults: ["imagedecoder_fuzzer_defaults"],
+    team: "trendy_team_android_core_graphics_stack",
+    shared_libs: [
+        "libfakeservicemanager",
+    ],
+    target: {
+        android: {
+            shared_libs: [
+                "libmediaplayerservice",
+                "libmediaextractorservice",
+            ],
+        },
+        host: {
+            static_libs: [
+                "libbinder_random_parcel",
+                "libcutils",
+            ],
+        },
+    },
+    include_dirs: ["frameworks/av/services/mediaextractor"],
+    cflags: [
+        "-DFUZZ_HEIF_FORMAT",
+    ],
+}
diff --git a/native/graphics/jni/fuzz/fuzz_imagedecoder.cpp b/native/graphics/jni/fuzz/fuzz_imagedecoder.cpp
index 6743997fb152..f739e4a1d1a2 100644
--- a/native/graphics/jni/fuzz/fuzz_imagedecoder.cpp
+++ b/native/graphics/jni/fuzz/fuzz_imagedecoder.cpp
@@ -18,6 +18,16 @@
 #include <binder/IPCThreadState.h>
 #include <fuzzer/FuzzedDataProvider.h>
 
+#ifdef FUZZ_HEIF_FORMAT
+#include <fakeservicemanager/FakeServiceManager.h>
+#ifdef __ANDROID__
+#include <MediaExtractorService.h>
+#include <MediaPlayerService.h>
+#else
+#include <fuzzbinder/random_binder.h>
+#endif //__ANDROID__
+#endif // FUZZ_HEIF_FORMAT
+
 #ifdef PNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR
 #include <fuzz/png_mutator.h>
 #endif
@@ -31,8 +41,42 @@ struct PixelFreer {
 
 using PixelPointer = std::unique_ptr<void, PixelFreer>;
 
+#ifndef FUZZ_HEIF_FORMAT
+#define FOURCC(c1, c2, c3, c4) ((c1) << 24 | (c2) << 16 | (c3) << 8 | (c4))
+/** Reverse all 4 bytes in a 32bit value.
+    e.g. 0x12345678 -> 0x78563412
+*/
+static uint32_t endianSwap32(uint32_t value) {
+    return ((value & 0xFF) << 24) | ((value & 0xFF00) << 8) | ((value & 0xFF0000) >> 8) |
+            (value >> 24);
+}
+
+static bool isFtyp(const uint8_t* data, size_t size) {
+    constexpr int32_t headerSize = 8;
+    constexpr int32_t chunkTypeOffset = 4;
+    constexpr int32_t ftypFourCCVal = FOURCC('f', 't', 'y', 'p');
+    if (size >= headerSize) {
+        const uint32_t* chunk = reinterpret_cast<const uint32_t*>(data + chunkTypeOffset);
+        if (endianSwap32(*chunk) == ftypFourCCVal) {
+            return true;
+        }
+    }
+    return false;
+}
+#endif
+
 AImageDecoder* init(const uint8_t* data, size_t size, bool useFileDescriptor) {
     AImageDecoder* decoder = nullptr;
+#ifndef FUZZ_HEIF_FORMAT
+    if (isFtyp(data, size)) {
+        /* We want to ignore HEIF data when fuzzing non-HEIF image decoders. Use 'FTYP'
+         * as a signal to ignore, though note that this excludes more than just HEIF.
+         * But when this code was added, `AImageDecoder` did not support any formats
+         * in 'FTYP' besides HEIF.
+         */
+        return nullptr;
+    }
+#endif // FUZZ_HEIF_FORMAT
     if (useFileDescriptor) {
         constexpr char testFd[] = "tempFd";
         int32_t fileDesc = open(testFd, O_RDWR | O_CREAT | O_TRUNC);
@@ -47,6 +91,27 @@ AImageDecoder* init(const uint8_t* data, size_t size, bool useFileDescriptor) {
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     FuzzedDataProvider dataProvider = FuzzedDataProvider(data, size);
+#ifdef FUZZ_HEIF_FORMAT
+    /**
+     * For image formats like HEIF, a new metadata object is
+     * created which requires "media.player" service running
+     */
+    static std::once_flag callOnceHEIF;
+    std::call_once(callOnceHEIF, [&]() {
+        android::sp<android::IServiceManager> fakeServiceManager =
+                new android::FakeServiceManager();
+        setDefaultServiceManager(fakeServiceManager);
+#ifdef __ANDROID__
+        android::MediaPlayerService::instantiate();
+        android::MediaExtractorService::instantiate();
+#else
+        auto binderExtractor = android::getRandomBinder(&dataProvider);
+        auto binderPlayer = android::getRandomBinder(&dataProvider);
+        fakeServiceManager->addService(android::String16("media.extractor"), binderExtractor);
+        fakeServiceManager->addService(android::String16("media.player"), binderPlayer);
+#endif //__ANDROID__
+    });
+#endif // FUZZ_HEIF_FORMAT
     /**
      * Use maximum of 80% of buffer for creating decoder and save at least
      * 20% buffer for fuzzing other APIs