qemu-e2k/tests/qtest
Philippe Mathieu-Daudé a2cd86a94a hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
Hardware Programming Guide" limit the sampling range from 4000 Hz to
44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
3-2 and 3-3).

Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
42h registers (Set digitized sound output sampling rate):

  Valid sampling rates range from 5000 to 45000 Hz inclusive.

There is no comment regarding error handling if the register is filled
with an out-of-range value.  (See also section 3-28 "8-bit or 16-bit
Auto-initialize Transfer"). Assume limits are enforced in hardware.

This fixes triggering an assertion in audio_calloc():

   abort
   audio_bug audio/audio.c:119:9
   audio_calloc audio/audio.c:154:9
   audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
   audio_pcm_sw_init_out audio/audio_template.h:175:11
   audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
   AUD_open_out audio/audio_template.h:503:14
   continue_dma8 hw/audio/sb16.c:216:20
   dma_cmd8 hw/audio/sb16.c:276:5
   command hw/audio/sb16.c:0
   dsp_write hw/audio/sb16.c:949:13
   portio_write softmmu/ioport.c:205:13
   memory_region_write_accessor softmmu/memory.c:491:5
   access_with_adjusted_size softmmu/memory.c:552:18
   memory_region_dispatch_write softmmu/memory.c:0:13
   flatview_write_continue softmmu/physmem.c:2759:23
   flatview_write softmmu/physmem.c:2799:14
   address_space_write softmmu/physmem.c:2891:18
   cpu_outw softmmu/ioport.c:70:5

[*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174

Fixes: 85571bc741 ("audio merge (malc)")
Buglink: https://bugs.launchpad.net/bugs/1910603
Tested-by: Qiang Liu <cyruscyliu@gmail.com>
Reviewed-by: Qiang Liu <cyruscyliu@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210616104349.2398060-1-f4bug@amsat.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-06-17 11:55:23 +02:00
..
fuzz tests/qtest/fuzz: Fix build failure 2021-05-26 14:49:46 +02:00
libqos test: new qTest case to test the vhost-user-blk-server 2021-05-18 12:57:38 +02:00
ac97-test.c
acpi-utils.c
acpi-utils.h
ahci-test.c tests/qtest/ahci-test.c: Calculate iso_size with 64-bit arithmetic 2021-05-14 12:28:01 +02:00
am53c974-test.c tests/qtest: add tests for am53c974 device 2021-04-12 22:37:11 +01:00
arm-cpu-features.c target/arm: Add cpu properties to control pauth 2021-01-19 14:38:51 +00:00
aspeed_hace-test.c tests/qtest: Add test for Aspeed HACE 2021-05-01 10:03:51 +02:00
aspeed_smc-test.c tests/qtest: Rename m25p80 test in aspeed_smc test 2021-05-01 10:03:52 +02:00
bios-tables-test-allowed-diff.h qtest/acpi/bios-tables-test: update acpi tables 2021-02-23 10:58:42 -05:00
bios-tables-test.c tests/qtest/bios-tables-test: Check for dup2() failure 2021-06-03 16:43:27 +01:00
boot-order-test.c
boot-sector.c tests/qtest/boot-sector: Check that the guest did not panic 2021-02-19 06:29:05 +01:00
boot-sector.h
boot-serial-test.c Remove the deprecated moxie target 2021-05-12 17:42:23 +02:00
cdrom-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
cmsdk-apb-dualtimer-test.c tests: Add a simple test of the CMSDK APB dual timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-timer-test.c tests: Add a simple test of the CMSDK APB timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-watchdog-test.c tests/qtest/cmsdk-apb-watchdog-test: Test clock changes 2021-01-29 15:54:44 +00:00
cpu-plug-test.c
dbus-vmstate1.xml
dbus-vmstate-test.c
device-introspect-test.c qtest: escape device name in device-introspect-test 2020-11-04 12:00:02 -05:00
device-plug-test.c
display-vga-test.c
drive_del-test.c
ds1338-test.c
e1000-test.c
e1000e-test.c tests/qtest/e1000e-test: Check qemu_recv() succeeded 2021-06-03 16:43:27 +01:00
eepro100-test.c
emc141x-test.c hw/misc: add an EMC141{3,4} device model 2020-12-10 12:11:03 +01:00
endianness-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
es1370-test.c
fdc-test.c
fuzz-e1000e-test.c net/eth: Read ip6_ext_hdr_routing buffer before accessing it 2021-03-22 17:34:31 +08:00
fuzz-megasas-test.c tests/qtest: Only run fuzz-megasas-test if megasas device is available 2021-03-16 14:19:54 -04:00
fuzz-sb16-test.c hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-17 11:55:23 +02:00
fuzz-virtio-scsi-test.c tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available 2021-03-16 14:19:54 -04:00
fw_cfg-test.c
hd-geo-test.c tests/qtest/hd-geo-test: Fix checks on mkstemp() return value 2021-06-03 16:43:27 +01:00
hexloader-test.c
i440fx-test.c
i82801b11-test.c
ide-test.c
intel-hda-test.c
ioh3420-test.c
ipmi-bt-test.c tests: Avoid side effects inside g_assert() arguments 2021-05-14 12:28:01 +02:00
ipmi-kcs-test.c tests: Avoid side effects inside g_assert() arguments 2021-05-14 12:28:01 +02:00
ipoctal232-test.c
ivshmem-test.c ivshmem-test: do not use short-form boolean option 2020-11-04 12:00:02 -05:00
libqtest-single.h qtest: Update references to parse_escape() in comments 2020-11-10 08:51:30 +01:00
libqtest.c libqtest: refuse QTEST_QEMU_BINARY=qemu-kvm 2021-05-14 12:28:01 +02:00
lpc-ich9-test.c tests/qtest: cleanup the testcase for bug 1878642 2021-03-19 10:37:46 -04:00
m48t59-test.c
machine-none-test.c Drop the deprecated unicore32 target 2021-05-12 18:20:52 +02:00
megasas-test.c
meson.build hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-17 11:55:23 +02:00
microbit-test.c
migration-helpers.c
migration-helpers.h
migration-test.c tests/qtest/migration-test: Use g_autofree to avoid leaks on error paths 2021-05-14 12:37:00 +02:00
modules-test.c
ne2000-test.c
npcm7xx_adc-test.c npcm7xx_adc-test: Fix memleak in adc_qom_set 2021-01-19 15:45:14 +00:00
npcm7xx_emc-test.c net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set 2021-03-30 14:05:33 +01:00
npcm7xx_gpio-test.c
npcm7xx_pwm-test.c tests/qtest/npcm7xx_pwm-test.c: Avoid g_assert_true() for non-test assertions 2021-05-14 12:28:01 +02:00
npcm7xx_rng-test.c tests/qtest/npcm7xx_rng-test: dump random data on failure 2020-12-10 11:30:44 +00:00
npcm7xx_smbus-test.c hw/i2c: Implement NPCM7XX SMBus Module FIFO Mode 2021-02-16 14:12:54 +00:00
npcm7xx_timer-test.c tests/qtest: variable defined by g_autofree need to be initialized 2020-11-20 13:34:22 +01:00
npcm7xx_watchdog_timer-test.c tests/qtest: fix memleak in npcm7xx_watchdog_timer-test 2020-11-20 13:35:33 +01:00
numa-test.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
nvme-test.c
pca9552-test.c
pci-test.c
pcnet-test.c
pflash-cfi02-test.c tests/qtest/pflash-cfi02-test: Avoid potential integer overflow 2021-06-03 16:43:27 +01:00
pnv-xscom-test.c
prom-env-test.c
pvpanic-pci-test.c tests/qtest: add a test case for pvpanic-pci 2021-01-29 10:47:28 +00:00
pvpanic-test.c qtest/pvpanic: Test panic option that allows VM to continue 2020-12-15 12:51:59 -05:00
pxe-test.c
q35-test.c
qmp-cmd-test.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
qmp-test.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
qom-test.c
qos-test.c tests/qtest/qos-test: dump QEMU command if verbose 2021-02-16 17:15:39 +01:00
rtas-test.c
rtc-test.c tests/qtest/rtc-test: Remove pointless NULL check 2021-05-14 12:28:01 +02:00
rtl8139-test.c
sdhci-test.c
spapr-phb-test.c
sse-timer-test.c tests/qtest/sse-timer-test: Test counter scaling changes 2021-03-08 17:20:03 +00:00
tco-test.c
test-arm-mptimer.c
test-filter-mirror.c
test-filter-redirector.c treewide: do not use short-form boolean options 2020-12-10 12:15:11 -05:00
test-hmp.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
test-netfilter.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
test-x86-cpuid-compat.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
tmp105-test.c
tpm-crb-swtpm-test.c
tpm-crb-test.c
tpm-emu.c
tpm-emu.h
tpm-tests.c tests/qtest/tpm-tests: Remove unnecessary NULL checks 2021-06-03 16:43:27 +01:00
tpm-tests.h
tpm-tis-device-swtpm-test.c
tpm-tis-device-test.c
tpm-tis-swtpm-test.c
tpm-tis-test.c
tpm-tis-util.c
tpm-tis-util.h
tpm-util.c tests/qtest/tpm-util.c: Free memory with correct free function 2021-05-14 12:28:01 +02:00
tpm-util.h
tulip-test.c
usb-hcd-ehci-test.c
usb-hcd-ohci-test.c
usb-hcd-uhci-test.c
usb-hcd-xhci-test.c
vhost-user-blk-test.c vhost-user-blk-test: test discard/write zeroes invalid inputs 2021-05-18 12:57:38 +02:00
vhost-user-test.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
virtio-9p-test.c tests/9pfs: Mark "local" tests as "slow" 2020-11-24 12:44:25 +01:00
virtio-blk-test.c
virtio-ccw-test.c
virtio-net-test.c
virtio-rng-test.c
virtio-scsi-test.c tests/qtest/virtio-scsi-test: add unmap large LBA with 4k blocks test 2021-06-04 13:47:08 +02:00
virtio-serial-test.c
virtio-test.c
vmgenid-test.c
vmxnet3-test.c
wdt_ib700-test.c
xlnx-can-test.c arm: rename xlnx-zcu102.canbusN properties 2021-01-29 10:47:28 +00:00