qemu/tests/qtest
Philippe Mathieu-Daudé a2cd86a94a hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
Hardware Programming Guide" limit the sampling range from 4000 Hz to
44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
3-2 and 3-3).

Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
42h registers (Set digitized sound output sampling rate):

  Valid sampling rates range from 5000 to 45000 Hz inclusive.

There is no comment regarding error handling if the register is filled
with an out-of-range value.  (See also section 3-28 "8-bit or 16-bit
Auto-initialize Transfer"). Assume limits are enforced in hardware.

This fixes triggering an assertion in audio_calloc():

  #1 abort
  #2 audio_bug audio/audio.c:119:9
  #3 audio_calloc audio/audio.c:154:9
  #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
  #5 audio_pcm_sw_init_out audio/audio_template.h:175:11
  #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
  #7 AUD_open_out audio/audio_template.h:503:14
  #8 continue_dma8 hw/audio/sb16.c:216:20
  #9 dma_cmd8 hw/audio/sb16.c:276:5
  #10 command hw/audio/sb16.c:0
  #11 dsp_write hw/audio/sb16.c:949:13
  #12 portio_write softmmu/ioport.c:205:13
  #13 memory_region_write_accessor softmmu/memory.c:491:5
  #14 access_with_adjusted_size softmmu/memory.c:552:18
  #15 memory_region_dispatch_write softmmu/memory.c:0:13
  #16 flatview_write_continue softmmu/physmem.c:2759:23
  #17 flatview_write softmmu/physmem.c:2799:14
  #18 address_space_write softmmu/physmem.c:2891:18
  #19 cpu_outw softmmu/ioport.c:70:5

[*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174

Fixes: 85571bc741 ("audio merge (malc)")
Buglink: https://bugs.launchpad.net/bugs/1910603
Tested-by: Qiang Liu <cyruscyliu@gmail.com>
Reviewed-by: Qiang Liu <cyruscyliu@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210616104349.2398060-1-f4bug@amsat.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-06-17 11:55:23 +02:00
..
fuzz tests/qtest/fuzz: Fix build failure 2021-05-26 14:49:46 +02:00
libqos test: new qTest case to test the vhost-user-blk-server 2021-05-18 12:57:38 +02:00
ac97-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
acpi-utils.c
acpi-utils.h meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
ahci-test.c tests/qtest/ahci-test.c: Calculate iso_size with 64-bit arithmetic 2021-05-14 12:28:01 +02:00
am53c974-test.c tests/qtest: add tests for am53c974 device 2021-04-12 22:37:11 +01:00
arm-cpu-features.c target/arm: Add cpu properties to control pauth 2021-01-19 14:38:51 +00:00
aspeed_hace-test.c tests/qtest: Add test for Aspeed HACE 2021-05-01 10:03:51 +02:00
aspeed_smc-test.c tests/qtest: Rename m25p80 test in aspeed_smc test 2021-05-01 10:03:52 +02:00
bios-tables-test-allowed-diff.h qtest/acpi/bios-tables-test: update acpi tables 2021-02-23 10:58:42 -05:00
bios-tables-test.c tests/qtest/bios-tables-test: Check for dup2() failure 2021-06-03 16:43:27 +01:00
boot-order-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
boot-sector.c tests/qtest/boot-sector: Check that the guest did not panic 2021-02-19 06:29:05 +01:00
boot-sector.h meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
boot-serial-test.c Remove the deprecated moxie target 2021-05-12 17:42:23 +02:00
cdrom-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
cmsdk-apb-dualtimer-test.c tests: Add a simple test of the CMSDK APB dual timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-timer-test.c tests: Add a simple test of the CMSDK APB timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-watchdog-test.c tests/qtest/cmsdk-apb-watchdog-test: Test clock changes 2021-01-29 15:54:44 +00:00
cpu-plug-test.c cphp: remove deprecated cpu-add command(s) 2020-09-29 02:14:30 -04:00
dbus-vmstate1.xml
dbus-vmstate-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
device-introspect-test.c qtest: escape device name in device-introspect-test 2020-11-04 12:00:02 -05:00
device-plug-test.c device-plug-test: use qtest_qmp to send the device_del command 2020-10-12 11:50:49 -04:00
display-vga-test.c
drive_del-test.c qemu-iotests, qtest: rewrite test 067 as a qtest 2020-10-12 11:50:50 -04:00
ds1338-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
e1000-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
e1000e-test.c tests/qtest/e1000e-test: Check qemu_recv() succeeded 2021-06-03 16:43:27 +01:00
eepro100-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
emc141x-test.c hw/misc: add an EMC141{3,4} device model 2020-12-10 12:11:03 +01:00
endianness-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
es1370-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
fdc-test.c
fuzz-e1000e-test.c net/eth: Read ip6_ext_hdr_routing buffer before accessing it 2021-03-22 17:34:31 +08:00
fuzz-megasas-test.c tests/qtest: Only run fuzz-megasas-test if megasas device is available 2021-03-16 14:19:54 -04:00
fuzz-sb16-test.c hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-17 11:55:23 +02:00
fuzz-virtio-scsi-test.c tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available 2021-03-16 14:19:54 -04:00
fw_cfg-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
hd-geo-test.c tests/qtest/hd-geo-test: Fix checks on mkstemp() return value 2021-06-03 16:43:27 +01:00
hexloader-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
i440fx-test.c
i82801b11-test.c
ide-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
intel-hda-test.c
ioh3420-test.c
ipmi-bt-test.c tests: Avoid side effects inside g_assert() arguments 2021-05-14 12:28:01 +02:00
ipmi-kcs-test.c tests: Avoid side effects inside g_assert() arguments 2021-05-14 12:28:01 +02:00
ipoctal232-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
ivshmem-test.c ivshmem-test: do not use short-form boolean option 2020-11-04 12:00:02 -05:00
libqtest-single.h qtest: Update references to parse_escape() in comments 2020-11-10 08:51:30 +01:00
libqtest.c libqtest: refuse QTEST_QEMU_BINARY=qemu-kvm 2021-05-14 12:28:01 +02:00
lpc-ich9-test.c tests/qtest: cleanup the testcase for bug 1878642 2021-03-19 10:37:46 -04:00
m48t59-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
machine-none-test.c Drop the deprecated unicore32 target 2021-05-12 18:20:52 +02:00
megasas-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
meson.build hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-17 11:55:23 +02:00
microbit-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
migration-helpers.c tests/migration: fix memleak in wait_command/wait_command_fd 2020-10-24 07:23:19 +02:00
migration-helpers.h meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
migration-test.c tests/qtest/migration-test: Use g_autofree to avoid leaks on error paths 2021-05-14 12:37:00 +02:00
modules-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
ne2000-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
npcm7xx_adc-test.c npcm7xx_adc-test: Fix memleak in adc_qom_set 2021-01-19 15:45:14 +00:00
npcm7xx_emc-test.c net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set 2021-03-30 14:05:33 +01:00
npcm7xx_gpio-test.c hw/gpio: Add GPIO model for Nuvoton NPCM7xx 2020-10-27 11:10:32 +00:00
npcm7xx_pwm-test.c tests/qtest/npcm7xx_pwm-test.c: Avoid g_assert_true() for non-test assertions 2021-05-14 12:28:01 +02:00
npcm7xx_rng-test.c tests/qtest/npcm7xx_rng-test: dump random data on failure 2020-12-10 11:30:44 +00:00
npcm7xx_smbus-test.c hw/i2c: Implement NPCM7XX SMBus Module FIFO Mode 2021-02-16 14:12:54 +00:00
npcm7xx_timer-test.c tests/qtest: variable defined by g_autofree need to be initialized 2020-11-20 13:34:22 +01:00
npcm7xx_watchdog_timer-test.c tests/qtest: fix memleak in npcm7xx_watchdog_timer-test 2020-11-20 13:35:33 +01:00
numa-test.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
nvme-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pca9552-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pci-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pcnet-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pflash-cfi02-test.c tests/qtest/pflash-cfi02-test: Avoid potential integer overflow 2021-06-03 16:43:27 +01:00
pnv-xscom-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
prom-env-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pvpanic-pci-test.c tests/qtest: add a test case for pvpanic-pci 2021-01-29 10:47:28 +00:00
pvpanic-test.c qtest/pvpanic: Test panic option that allows VM to continue 2020-12-15 12:51:59 -05:00
pxe-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
q35-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
qmp-cmd-test.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
qmp-test.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
qom-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
qos-test.c tests/qtest/qos-test: dump QEMU command if verbose 2021-02-16 17:15:39 +01:00
rtas-test.c meson: link emulators without Makefile.target 2020-08-21 06:30:40 -04:00
rtc-test.c tests/qtest/rtc-test: Remove pointless NULL check 2021-05-14 12:28:01 +02:00
rtl8139-test.c
sdhci-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
spapr-phb-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
sse-timer-test.c tests/qtest/sse-timer-test: Test counter scaling changes 2021-03-08 17:20:03 +00:00
tco-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
test-arm-mptimer.c
test-filter-mirror.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
test-filter-redirector.c treewide: do not use short-form boolean options 2020-12-10 12:15:11 -05:00
test-hmp.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
test-netfilter.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
test-x86-cpuid-compat.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
tmp105-test.c
tpm-crb-swtpm-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
tpm-crb-test.c
tpm-emu.c tpm: Move backend code under the 'backends/' directory 2020-06-19 07:25:55 -04:00
tpm-emu.h
tpm-tests.c tests/qtest/tpm-tests: Remove unnecessary NULL checks 2021-06-03 16:43:27 +01:00
tpm-tests.h
tpm-tis-device-swtpm-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
tpm-tis-device-test.c
tpm-tis-swtpm-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
tpm-tis-test.c
tpm-tis-util.c
tpm-tis-util.h
tpm-util.c tests/qtest/tpm-util.c: Free memory with correct free function 2021-05-14 12:28:01 +02:00
tpm-util.h
tulip-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
usb-hcd-ehci-test.c libqos: usb-hcd-ehci: use 32-bit write for config register 2020-06-26 06:45:29 -04:00
usb-hcd-ohci-test.c
usb-hcd-uhci-test.c
usb-hcd-xhci-test.c
vhost-user-blk-test.c vhost-user-blk-test: test discard/write zeroes invalid inputs 2021-05-18 12:57:38 +02:00
vhost-user-test.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
virtio-9p-test.c tests/9pfs: Mark "local" tests as "slow" 2020-11-24 12:44:25 +01:00
virtio-blk-test.c
virtio-ccw-test.c
virtio-net-test.c
virtio-rng-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
virtio-scsi-test.c tests/qtest/virtio-scsi-test: add unmap large LBA with 4k blocks test 2021-06-04 13:47:08 +02:00
virtio-serial-test.c
virtio-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
vmgenid-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
vmxnet3-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
wdt_ib700-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
xlnx-can-test.c arm: rename xlnx-zcu102.canbusN properties 2021-01-29 10:47:28 +00:00