Mp4: added and updated sanity checks for "end" handling. When handling incorrect data in ngx_http_mp4_crop_stsc_data(), trak->end_chunk_samples might end up being arbitrary large, leading to reading before the buffer in ngx_http_mp4_update_stsz_atom(). Fix is to check that trak->end_chunk_samples corresponds to a memory within the stsz atom data. For consistency, trak->start_chunk_samples is checked similarly. Similarly, trak->end_chunk might end up being smaller than trak->start_chunk, leading to reading memory after the buffer in ngx_http_mp4_update_stco_atom() and ngx_http_mp4_update_co64_atom(). Corresponding checks are updated to explicitly test (trak->end_chunk - trak->start_chunk) instead of just checking trak->end_chunk and assuming it is larger than trak->start_chunk. This is generally in line with existing checks of (trak->end_sample - trak->start_sample) in ngx_http_mp4_update_stsz_atom(), where trak->end_sample might also become smaller than trak->start_sample when handling incorrect data in ngx_http_mp4_crop_stts_data().

<!ELEMENT configuration   (length, start, indent, changes+) >

<!ELEMENT length          (#PCDATA) >
<!ELEMENT start           (#PCDATA) >
<!ELEMENT indent          (#PCDATA) >

<!ELEMENT changes         (title, length,
                           bugfix, feature, change, workaround,
                           (month, month, month, month, month, month,
                            month, month, month, month, month, month)?) >

<!ATTLIST changes         lang ( ru | en) #REQUIRED>

<!ELEMENT title           (#PCDATA) >

<!ELEMENT bugfix          (#PCDATA) >
<!ELEMENT feature         (#PCDATA) >
<!ELEMENT change          (#PCDATA) >
<!ELEMENT workaround      (#PCDATA) >

<!ELEMENT month           (#PCDATA) >