From 7a51dcf194fb01d9fdaed1a99edfe966cae077b6 Mon Sep 17 00:00:00 2001
From: Jean-Yves Avenard <jyavenard@mozilla.com>
Date: Tue, 7 Apr 2015 20:33:16 +1000
Subject: [PATCH] Bug 1149278: Limit box reads to resource length. r=k17e

Also, add a safeguard where we will never attempt to read a mp4 box over 32MiB
---
 media/libstagefright/binding/Box.cpp        | 16 ++++++++++------
 media/libstagefright/binding/MoofParser.cpp |  5 +++--
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/media/libstagefright/binding/Box.cpp b/media/libstagefright/binding/Box.cpp
index 500a6d0a9aac..71c79ed739f4 100644
--- a/media/libstagefright/binding/Box.cpp
+++ b/media/libstagefright/binding/Box.cpp
@@ -7,6 +7,7 @@
 #include "mp4_demuxer/Box.h"
 #include "mp4_demuxer/mp4_demuxer.h"
 #include "mozilla/Endian.h"
+#include <algorithm>
 
 using namespace mozilla;
 
@@ -91,11 +92,6 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
     return;
   }
 
-  nsTArray<uint8_t> content;
-  if (!Read(&content, boxRange)) {
-    return;
-  }
-
   mRange = boxRange;
 }
 
@@ -129,7 +125,15 @@ Box::Read(nsTArray<uint8_t>* aDest)
 bool
 Box::Read(nsTArray<uint8_t>* aDest, const MediaByteRange& aRange)
 {
-  aDest->SetLength(aRange.mEnd - mChildOffset);
+  int64_t length;
+  if (!mContext->mSource->Length(&length)) {
+    // The HTTP server didn't give us a length to work with.
+    // Limit the read to 32MiB max.
+    length = std::min(aRange.mEnd - mChildOffset, uint64_t(32 * 1024 * 1024));
+  } else {
+    length = aRange.mEnd - mChildOffset;
+  }
+  aDest->SetLength(length);
   size_t bytes;
   if (!mContext->mSource->CachedReadAt(mChildOffset, aDest->Elements(),
                                        aDest->Length(), &bytes) ||
diff --git a/media/libstagefright/binding/MoofParser.cpp b/media/libstagefright/binding/MoofParser.cpp
index f0f940ce88e1..2adc9c717476 100644
--- a/media/libstagefright/binding/MoofParser.cpp
+++ b/media/libstagefright/binding/MoofParser.cpp
@@ -99,9 +99,10 @@ private:
 bool
 MoofParser::BlockingReadNextMoof()
 {
+  int64_t length = std::numeric_limits<int64_t>::max();
+  mSource->Length(&length);
   nsTArray<MediaByteRange> byteRanges;
-  byteRanges.AppendElement(
-    MediaByteRange(0, std::numeric_limits<int64_t>::max()));
+  byteRanges.AppendElement(MediaByteRange(0, length));
   nsRefPtr<mp4_demuxer::BlockingStream> stream = new BlockingStream(mSource);
 
   BoxContext context(stream, byteRanges);