CVE (may not apply other users than Android):
Detect AVX/FMA intrinsics availability on clang
CVE-2021-0561 is potentially relevant, but needs evaluation by somebody who understands the FLAC internals. I can't judge its correctness. In other words, we'll have to wait and see how upstream handles this.
The GCC problem is crazy and needs to be fixed in the compiler, i.e., lang/gcc9, if anybody uses that compiler to build FLAC.
The AVX intrinsics change is applicable, but just an optimization. We'll pick it up with the next upstream release.