Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android’s parcel API, without going into details about parcels you can think about this as similar to just opening a file. You usually need to provide a mode, like w for write, or r for read access. By default on POSIX systems using mode w will also truncate the file. So If you open a file with 100 bytes with mode w and then write 10 bytes, with truncation by default, it’ll truncate the file to be 10 bytes long since that is all that was written. Without truncation you’d just be replacing the first 10 bytes with the new content, leaving the remaining 90 bytes unchanged.

The API change (Android 10 and later)) in parcels was that now w did not truncate by default, instead you’d need to pass in a mode of wt to truncate. The default markup and cropping software on Pixel devices did not account for this change (it was an undocumented change). So, files cropped using the default application if they were smaller than the original would have trailing information containing part of the original, unedited image.

The post here goes into actually recovering the corrupted original/source image if that aspect is of interest to you check it out.