Bug 1232069 - Check box sizes before alloc&copy. r=jya

media/libstagefright/binding/Box.cpp

@@ -13,6 +13,10 @@ using namespace mozilla;
 
 namespace mp4_demuxer {
 
+// Limit reads to 32MiB max.
+// static
+const uint64_t Box::kMAX_BOX_READ = 32 * 1024 * 1024;
+
 // Returns the offset from the start of the body of a box of type |aType|
 // to the start of its first child.
 static uint32_t
@@ -149,8 +153,8 @@ Box::Read(nsTArray<uint8_t>* aDest, const MediaByteRange& aRange)
   int64_t length;
   if (!mContext->mSource->Length(&length)) {
     // The HTTP server didn't give us a length to work with.
-    // Limit the read to 32MiB max.
-    length = std::min(aRange.mEnd - mChildOffset, uint64_t(32 * 1024 * 1024));
+    // Limit the read to kMAX_BOX_READ max.
+    length = std::min(aRange.mEnd - mChildOffset, kMAX_BOX_READ);
   } else {
     length = aRange.mEnd - mChildOffset;
   }

media/libstagefright/binding/MoofParser.cpp

@@ -182,7 +182,9 @@ MoofParser::Metadata()
   MediaByteRange ftyp;
   MediaByteRange moov;
   ScanForMetadata(ftyp, moov);
-  if (!ftyp.Length() || !moov.Length()) {
+  if (!ftyp.Length() || !moov.Length() ||
+      ftyp.Length() > Box::kMAX_BOX_READ || moov.Length() > Box::kMAX_BOX_READ) {
+    // No ftyp or moov, or trying to read bigger-that-readable box (32MB).
     return nullptr;
   }
   RefPtr<MediaByteBuffer> metadata = new MediaByteBuffer();

media/libstagefright/binding/include/mp4_demuxer/Box.h

@@ -51,6 +51,8 @@ public:
   bool Read(nsTArray<uint8_t>* aDest);
   bool Read(nsTArray<uint8_t>* aDest, const MediaByteRange& aRange);
 
+  static const uint64_t kMAX_BOX_READ;
+
 private:
   bool Contains(MediaByteRange aRange) const;
   BoxContext* mContext;