Exploiting aCropalypse: Recovering Truncated PNGs (CVE-2023-21036):

The bug lies in closed-source Google-proprietary code so it’s a bit hard to inspect, but after some patch-diffing I concluded that the root cause was due to this horrible bit of API ‘design’: https://issuetracker.google.com/issues/180526528.

Google was passing w to a call to parseMode(), when they should’ve been passing wt (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass w. Not only that, but previous Android releases had parseMode("w") truncate by default too! This change wasn’t even documented until some time after the aforementioned bug report w