DO NOT MERGE: Fix vulnerability where large GPS XTRA data can be

injected.
-Can potentially crash system with OOM.
Bug: 29555864

Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 5439aabb165b5a760d1e580016bf1d6fd963cb65)

Author: David Christie

services/core/java/com/android/server/location/GpsXtraDownloader.java

@@ -21,8 +21,11 @@
 
 import java.net.HttpURLConnection;
 import java.net.URL;
-import libcore.io.Streams;
 
+import libcore.io.IoUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
 import java.io.IOException;
 import java.util.Properties;
 import java.util.Random;
@@ -36,6 +39,7 @@ public class GpsXtraDownloader {
 
     private static final String TAG = "GpsXtraDownloader";
     private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
+    private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000;  // 1MB.
     private static final String DEFAULT_USER_AGENT = "Android";
 
     private final String[] mXtraServers;
@@ -121,7 +125,19 @@ protected byte[] doDownload(String url) {
                 return null;
             }
 
-            return Streams.readFully(connection.getInputStream());
+            try (InputStream in = connection.getInputStream()) {
+                ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+                byte[] buffer = new byte[1024];
+                int count;
+                while ((count = in.read(buffer)) != -1) {
+                    bytes.write(buffer, 0, count);
+                    if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) {
+                        if (DEBUG) Log.d(TAG, "XTRA file too large");
+                        return null;
+                    }
+                }
+                return bytes.toByteArray();
+            }
         } catch (IOException ioe) {
             if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe);
         } finally {
@@ -133,3 +149,4 @@ protected byte[] doDownload(String url) {
     }
 
 }
+