Bug 1149278: Limit box reads to resource length. r=k17e

Also, add a safeguard where we will never attempt to read a mp4 box over 32MiB

media/libstagefright/binding/Box.cpp

@@ -7,6 +7,7 @@
 #include "mp4_demuxer/Box.h"
 #include "mp4_demuxer/mp4_demuxer.h"
 #include "mozilla/Endian.h"
+#include <algorithm>
 
 using namespace mozilla;
 
@@ -91,11 +92,6 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
     return;
   }
 
-  nsTArray<uint8_t> content;
-  if (!Read(&content, boxRange)) {
-    return;
-  }
-
   mRange = boxRange;
 }
 
@@ -129,7 +125,15 @@ Box::Read(nsTArray<uint8_t>* aDest)
 bool
 Box::Read(nsTArray<uint8_t>* aDest, const MediaByteRange& aRange)
 {
-  aDest->SetLength(aRange.mEnd - mChildOffset);
+  int64_t length;
+  if (!mContext->mSource->Length(&length)) {
+    // The HTTP server didn't give us a length to work with.
+    // Limit the read to 32MiB max.
+    length = std::min(aRange.mEnd - mChildOffset, uint64_t(32 * 1024 * 1024));
+  } else {
+    length = aRange.mEnd - mChildOffset;
+  }
+  aDest->SetLength(length);
   size_t bytes;
   if (!mContext->mSource->CachedReadAt(mChildOffset, aDest->Elements(),
                                        aDest->Length(), &bytes) ||

media/libstagefright/binding/MoofParser.cpp

@@ -99,9 +99,10 @@ private:
 bool
 MoofParser::BlockingReadNextMoof()
 {
+  int64_t length = std::numeric_limits<int64_t>::max();
+  mSource->Length(&length);
   nsTArray<MediaByteRange> byteRanges;
-  byteRanges.AppendElement(
-    MediaByteRange(0, std::numeric_limits<int64_t>::max()));
+  byteRanges.AppendElement(MediaByteRange(0, length));
   nsRefPtr<mp4_demuxer::BlockingStream> stream = new BlockingStream(mSource);
 
   BoxContext context(stream, byteRanges);