From nobody Sat May 18 16:18:08 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1624407943; cv=none; d=zohomail.com; s=zohoarc; b=Nv3FU/2ip5WG9XY0Sb6nJs0E/3GniPHRJbuBwmG4eqhF2blY+GGsuxQKkAzUTv0/FrXR4pd0X7+lKwnJ9hvg25VaftxDD2ooG1NLet3D/gznC4KE0XL3mbL9NARJLEjzcsYDz1c23EbkTQqHNg4lNe3H1YoIm70HIxU8D78JoNc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624407943; h=Content-Type:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Okk8+VeaPzE6QcQxg7837Q7rxZcL2AUuxE3NcHF6pcs=; b=W7Fcyv0DqKkkmPLYo9MSnS1xblvMf85zewTUXKzRWhY5+WeqANZSKH/FnR2xMydgZJamxidn9aeX9/lXYk2kwSwgARsIidZ3MpbZ3yETOYsE7HOusHBHiJoDWRR12tkrtTKd6ni+/GGFXpZJGW0F6t6W4w01UFRdwAMmf9XRLn8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1624407943066384.22234064052896; Tue, 22 Jun 2021 17:25:43 -0700 (PDT) Received: from localhost ([::1]:48868 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lvqi5-0005eP-Dz for importer@patchew.org; Tue, 22 Jun 2021 20:25:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35000) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lvqhN-0004qo-UA for qemu-devel@nongnu.org; Tue, 22 Jun 2021 20:24:57 -0400 Received: from mail-oi1-x233.google.com ([2607:f8b0:4864:20::233]:43931) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lvqhL-0001oF-MV for qemu-devel@nongnu.org; Tue, 22 Jun 2021 20:24:57 -0400 Received: by mail-oi1-x233.google.com with SMTP id x196so1366918oif.10 for ; Tue, 22 Jun 2021 17:24:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Okk8+VeaPzE6QcQxg7837Q7rxZcL2AUuxE3NcHF6pcs=; b=qcmFJA88iAL9ntSyo4DewBq26BUe4e7wfaKy4G6u/a4cgdHR5J12EZjulPgzJvcxy3 TEMJgb1eX6yKVXC6DYyzfJfPIe+ZdlSBzbQ47UiWhSXlRCxI+fD7JRIA2+0YYebvmPKw wDHS9jVt2QaW/7SxaOZFxBO0ywEK/HK4JrJXdwQw3Oyob2wl8stKBKTDpbmD6EyOwMzE p0/YzpZnxAN0De5JKdxfL64Blhgt8l85oupRLaSzDKJKFEH4I42C3DUWqhD4mVpsXAgg raC0DPxCBL0uhN01MobIOwRgn3pKTHIqC0tmkZUFLiJH6at1SXPO501IA9qlZdECfDYN OPoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Okk8+VeaPzE6QcQxg7837Q7rxZcL2AUuxE3NcHF6pcs=; b=BtiHuadNNAFbUzmZ2riFVb368gaNTyU+OeWayAYG87dWOgN5DkbGcUcUshRrFOWIZy ywvSdUWAa0yUGCf2zPnKIqZtOUo490+ID2yU/eZS3KkW0A9bcyhg4YnRgCammIaueov6 l+qcNVdLIVpRTwxJH4LNbKdbZb6h9cTGgMxKafGSuaSfVLho0/U0GMVixTmokeEzi3O3 aYPf7ArOB/V4yYp35hahfKiHA1KH8IBq/pcsA8JReFNg52S6wA+CzPsBGtpMx17S0uS8 v79YT6QtTfUNIUP2Lz1bJSbL3pc7lrffOcdxOnBlvUl51pVYJLfVorKIqodAjQ7CsvwD bNqg== X-Gm-Message-State: AOAM532XTIzk/jDIBJsZVdYhMGaDhcwwo+YWcIQp8XaWNmAENmYNgYGz ZqdUeQS2hEXnxu1oTI/WCl5wCh2YGPdlpxniIcVTdy/EmkQ= X-Google-Smtp-Source: ABdhPJyTWSdCQF/+DRiMyS0Inuu/k0SviiCtAmZnpKprdNFN6JAPXCLiN/BkLYMoswzCq+XuTgrQqIdCx06YSgbaMDc= X-Received: by 2002:aca:b5c3:: with SMTP id e186mr1043206oif.43.1624407894200; Tue, 22 Jun 2021 17:24:54 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Qiang Liu Date: Wed, 23 Jun 2021 08:24:42 +0800 Message-ID: Subject: [PATCH] hw/audio/sb16: Restrict I/O sampling rate range for command 41h/42h To: qemu-devel@nongnu.org, Gerd Hoffmann , =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= Content-Type: multipart/alternative; boundary="00000000000081135705c563ef65" Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::233; envelope-from=cyruscyliu@gmail.com; helo=mail-oi1-x233.google.com X-Spam_score_int: 0 X-Spam_score: -0.1 X-Spam_bar: / X-Spam_report: (-0.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URI_DOTEDU=1.999 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmail.com) Content-Transfer-Encoding: quoted-printable --00000000000081135705c563ef65 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlIEkvTyBzYW1wbGluZyByYXRlIHJhbmdlIGlzIGVuZm9yY2VkIHRvIDUwMDAgdG8gNDUwMDBI WiBhY2NvcmRpbmcgdG8KY29tbWl0IGEyY2Q4NmE5LiBTZXR0aW5nIEkvTyBzYW1wbGluZyByYXRl IHdpdGggY29tbWFuZCA0MWgvNDJoLCBhIGd1ZXN0CnVzZXIgY2FuIGJyZWFrIHRoaXMgYXNzdW1w dGlvbiBhbmQgdHJpZ2dlciBhbiBhc3NlcnRpb24gaW4gYXVkaW9fY2FsbG9jCnZpYSBjb21tYW5k IDB4ZDQuIFRoaXMgcGF0Y2ggcmVzdHJpY3RzIHRoZSBJL08gc2FtcGxpbmcgcmF0ZSByYW5nZSBm b3IKY29tbWFuZCA0MWgvNDJoLgoKRml4ZXM6IDg1NTcxYmM3NDE1ICgiYXVkaW8gbWVyZ2UgKG1h bGMpIikKU2lnbmVkLW9mZi1ieTogUWlhbmcgTGl1IDxjeXJ1c2N5bGl1QGdtYWlsLmNvbT4KLS0t CiBody9hdWRpby9zYjE2LmMgICAgICAgICAgICAgIHwgMzEgKysrKysrKysrKysrKysrKysrKy0t LS0tLS0tLS0tLQogdGVzdHMvcXRlc3QvZnV6ei1zYjE2LXRlc3QuYyB8IDE3ICsrKysrKysrKysr KysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDM2IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygt KQoKZGlmZiAtLWdpdCBhL2h3L2F1ZGlvL3NiMTYuYyBiL2h3L2F1ZGlvL3NiMTYuYwppbmRleCA1 Y2YxMjFmLi42MGYxZjc1IDEwMDY0NAotLS0gYS9ody9hdWRpby9zYjE2LmMKKysrIGIvaHcvYXVk aW8vc2IxNi5jCkBAIC0yMjksNiArMjI5LDIzIEBAIHN0YXRpYyB2b2lkIGNvbnRpbnVlX2RtYTgg KFNCMTZTdGF0ZSAqcykKICAgICBjb250cm9sIChzLCAxKTsKIH0KCitzdGF0aWMgaW5saW5lIGlu dCByZXN0cmljdF9zYW1wbGluZ19yYXRlKGludCBmcmVxKQoreworICAgIGlmIChmcmVxIDwgU0FN UExFX1JBVEVfTUlOKSB7CisgICAgICAgIHFlbXVfbG9nX21hc2soTE9HX0dVRVNUX0VSUk9SLAor ICAgICAgICAgICAgICAgICAgICAgICJzYW1wbGluZyByYW5nZSB0b28gbG93OiAlZCwgaW5jcmVh c2luZyB0byAldVxuIiwKKyAgICAgICAgICAgICAgICAgICAgICBmcmVxLCBTQU1QTEVfUkFURV9N SU4pOworICAgICAgICByZXR1cm4gU0FNUExFX1JBVEVfTUlOOworICAgIH0gZWxzZSBpZiAoZnJl cSA+IFNBTVBMRV9SQVRFX01BWCkgeworICAgICAgICBxZW11X2xvZ19tYXNrKExPR19HVUVTVF9F UlJPUiwKKyAgICAgICAgICAgICAgICAgICAgICAic2FtcGxpbmcgcmFuZ2UgdG9vIGhpZ2g6ICVk LCBkZWNyZWFzaW5nIHRvICV1XG4iLAorICAgICAgICAgICAgICAgICAgICAgIGZyZXEsIFNBTVBM RV9SQVRFX01BWCk7CisgICAgICAgIHJldHVybiBTQU1QTEVfUkFURV9NQVg7CisgICAgfSBlbHNl IHsKKyAgICAgICAgcmV0dXJuIGZyZXE7CisgICAgfQorfQorCiBzdGF0aWMgdm9pZCBkbWFfY21k OCAoU0IxNlN0YXRlICpzLCBpbnQgbWFzaywgaW50IGRtYV9sZW4pCiB7CiAgICAgcy0+Zm10ID0z RCBBVURJT19GT1JNQVRfVTg7CkBAIC0yNDQsMTcgKzI2MSw3IEBAIHN0YXRpYyB2b2lkIGRtYV9j bWQ4IChTQjE2U3RhdGUgKnMsIGludCBtYXNrLCBpbnQKZG1hX2xlbikKICAgICAgICAgaW50IHRt cCA9M0QgKDI1NiAtIHMtPnRpbWVfY29uc3QpOwogICAgICAgICBzLT5mcmVxID0zRCAoMTAwMDAw MCArICh0bXAgLyAyKSkgLyB0bXA7CiAgICAgfQotICAgIGlmIChzLT5mcmVxIDwgU0FNUExFX1JB VEVfTUlOKSB7Ci0gICAgICAgIHFlbXVfbG9nX21hc2soTE9HX0dVRVNUX0VSUk9SLAotICAgICAg ICAgICAgICAgICAgICAgICJzYW1wbGluZyByYW5nZSB0b28gbG93OiAlZCwgaW5jcmVhc2luZyB0 byAldVxuIiwKLSAgICAgICAgICAgICAgICAgICAgICBzLT5mcmVxLCBTQU1QTEVfUkFURV9NSU4p OwotICAgICAgICBzLT5mcmVxID0zRCBTQU1QTEVfUkFURV9NSU47Ci0gICAgfSBlbHNlIGlmIChz LT5mcmVxID4gU0FNUExFX1JBVEVfTUFYKSB7Ci0gICAgICAgIHFlbXVfbG9nX21hc2soTE9HX0dV RVNUX0VSUk9SLAotICAgICAgICAgICAgICAgICAgICAgICJzYW1wbGluZyByYW5nZSB0b28gaGln aDogJWQsIGRlY3JlYXNpbmcgdG8gJXVcbiIsCi0gICAgICAgICAgICAgICAgICAgICAgcy0+ZnJl cSwgU0FNUExFX1JBVEVfTUFYKTsKLSAgICAgICAgcy0+ZnJlcSA9M0QgU0FNUExFX1JBVEVfTUFY OwotICAgIH0KKyAgICBzLT5mcmVxID0zRCByZXN0cmljdF9zYW1wbGluZ19yYXRlKHMtPmZyZXEp OwoKICAgICBpZiAoZG1hX2xlbiAhPTNEIC0xKSB7CiAgICAgICAgIHMtPmJsb2NrX3NpemUgPTNE IGRtYV9sZW4gPDwgcy0+Zm10X3N0ZXJlbzsKQEAgLTc2OCw3ICs3NzUsNyBAQCBzdGF0aWMgdm9p ZCBjb21wbGV0ZSAoU0IxNlN0YXRlICpzKQogICAgICAgICAgICAgICogYW5kIEZUMiBzZXRzIG91 dHB1dCBmcmVxIHdpdGggdGhpcyAoZ28gZmlndXJlKS4gIENvbXBhcmU6CiAgICAgICAgICAgICAg KgpodHRwOi8vaG9tZXBhZ2VzLmNhZS53aXNjLmVkdS9+YnJvZHNreWUvc2IxNmRvYy9zYjE2ZG9j Lmh0bWwjU2FtcGxpbmdSYXRlCiAgICAgICAgICAgICAgKi8KLSAgICAgICAgICAgIHMtPmZyZXEg PTNEIGRzcF9nZXRfaGlsbyAocyk7CisgICAgICAgICAgICBzLT5mcmVxID0zRCByZXN0cmljdF9z YW1wbGluZ19yYXRlKGRzcF9nZXRfaGlsbyhzKSk7CiAgICAgICAgICAgICBsZGVidWcgKCJzZXQg ZnJlcSAlZFxuIiwgcy0+ZnJlcSk7CiAgICAgICAgICAgICBicmVhazsKCmRpZmYgLS1naXQgYS90 ZXN0cy9xdGVzdC9mdXp6LXNiMTYtdGVzdC5jIGIvdGVzdHMvcXRlc3QvZnV6ei1zYjE2LXRlc3Qu YwppbmRleCA1MTAzMGNkLi5mNDdhOGJjIDEwMDY0NAotLS0gYS90ZXN0cy9xdGVzdC9mdXp6LXNi MTYtdGVzdC5jCisrKyBiL3Rlc3RzL3F0ZXN0L2Z1enotc2IxNi10ZXN0LmMKQEAgLTM3LDYgKzM3 LDIyIEBAIHN0YXRpYyB2b2lkIHRlc3RfZnV6el9zYjE2XzB4OTEodm9pZCkKICAgICBxdGVzdF9x dWl0KHMpOwogfQoKKy8qCisgKiBUaGlzIHVzZWQgdG8gdHJpZ2dlciB0aGUgYXNzZXJ0IGluIGF1 ZGlvX2NhbGxvYworICogdGhyb3VnaCBjb21tYW5kIDB4ZDQKKyAqLworc3RhdGljIHZvaWQgdGVz dF9mdXp6X3NiMTZfMHhkNCh2b2lkKQoreworICAgIFFUZXN0U3RhdGUgKnMgPTNEIHF0ZXN0X2lu aXQoIi1NIHBjIC1kaXNwbGF5IG5vbmUgIgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICItZGV2aWNlIHNiMTYsYXVkaW9kZXY9M0Rub25lICIKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAiLWF1ZGlvZGV2IGlkPTNEbm9uZSxkcml2ZXI9M0Rub25lIik7CisgICAgcXRlc3Rf b3V0YihzLCAweDIyYywgMHg0MSk7CisgICAgcXRlc3Rfb3V0YihzLCAweDIyYywgMHgwMCk7Cisg ICAgcXRlc3Rfb3V0YihzLCAweDIyYywgMHgxNCk7CisgICAgcXRlc3Rfb3V0YihzLCAweDIyYywg MHhkNCk7CisgICAgcXRlc3RfcXVpdChzKTsKK30KKwogaW50IG1haW4oaW50IGFyZ2MsIGNoYXIg Kiphcmd2KQogewogICAgIGNvbnN0IGNoYXIgKmFyY2ggPTNEIHF0ZXN0X2dldF9hcmNoKCk7CkBA IC00Niw2ICs2Miw3IEBAIGludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKICAgIGlmIChz dHJjbXAoYXJjaCwgImkzODYiKSA9M0Q9M0QgMCkgewogICAgICAgICBxdGVzdF9hZGRfZnVuYygi ZnV6ei90ZXN0X2Z1enpfc2IxNi8xYyIsIHRlc3RfZnV6el9zYjE2XzB4MWMpOwogICAgICAgICBx dGVzdF9hZGRfZnVuYygiZnV6ei90ZXN0X2Z1enpfc2IxNi85MSIsIHRlc3RfZnV6el9zYjE2XzB4 OTEpOworICAgICAgICBxdGVzdF9hZGRfZnVuYygiZnV6ei90ZXN0X2Z1enpfc2IxNi9kNCIsIHRl c3RfZnV6el9zYjE2XzB4ZDQpOwogICAgfQoKICAgIHJldHVybiBnX3Rlc3RfcnVuKCk7Ci0tCjIu Ny40 --00000000000081135705c563ef65 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The I/O sampling rate r= ange is enforced to 5000 to 45000HZ according to
commit a2cd86a9. Setting I/O samp= ling rate with command 41h/42h, a guest
user can break this assumption a= nd trigger an assertion in audio_calloc
via command 0xd4. This patch res= tricts the I/O sampling rate range for
command 41h/42h.

Fixes: 85= 571bc7415 ("audio merge (malc)")
Signed-off-by: Qiang Liu <= cyrusc= yliu@gmail.com>
---
=C2=A0hw/audio/sb16.c =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0| 31 +++++++++++++++++++------------
=C2=A0t= ests/qtest/fuzz-sb16-test.c | 17 +++++++++++++++++
=C2=A02 files changed= , 36 insertions(+), 12 deletions(-)

diff --git a/hw/audio/sb16.c b/h= w/audio/sb16.c
index 5cf121f..60f1f75 100644
--- a/hw/audio/sb16.c+++ b/hw/audio/sb16.c
@@ -229,6 +229,23 @@ static void continue_dma8 (S= B16State *s)
=C2=A0 =C2=A0 =C2=A0control (s, 1);
=C2=A0}

+stat= ic inline int restrict_sampling_rate(int freq)
+{
+ =C2=A0 =C2=A0if (= freq < SAMPLE_RATE_MIN) {
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0qemu_log_mask(= LOG_GUEST_ERROR,
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0"sampling range too low: %d, increasing to %u\= n",
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0freq, SAMPLE_RATE_MIN);
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0re= turn SAMPLE_RATE_MIN;
+ =C2=A0 =C2=A0} else if (freq > SAMPLE_RATE_MA= X) {
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0qemu_log_mask(LOG_GUEST_ERROR,
+ = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0"sampling range too high: %d, decreasing to %u\n",
+ =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0freq,= SAMPLE_RATE_MAX);
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0return SAMPLE_RATE_MAX;<= br>+ =C2=A0 =C2=A0} else {
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0return freq;
= + =C2=A0 =C2=A0}
+}
+
=C2=A0static void dma_cmd8 (SB16State *s, in= t mask, int dma_len)
=C2=A0{
=C2=A0 =C2=A0 =C2=A0s->fmt =3D AUDIO_= FORMAT_U8;
@@ -244,17 +261,7 @@ static void dma_cmd8 (SB16State *s, int = mask, int dma_len)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0int tmp =3D (256 - = s->time_const);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0s->freq =3D (100= 0000 + (tmp / 2)) / tmp;
=C2=A0 =C2=A0 =C2=A0}
- =C2=A0 =C2=A0if (s-&= gt;freq < SAMPLE_RATE_MIN) {
- =C2=A0 =C2=A0 =C2=A0 =C2=A0qemu_log_ma= sk(LOG_GUEST_ERROR,
- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0"sampling range too low: %d, increasing to = %u\n",
- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0s->freq, SAMPLE_RATE_MIN);
- =C2=A0 =C2=A0 =C2=A0= =C2=A0s->freq =3D SAMPLE_RATE_MIN;
- =C2=A0 =C2=A0} else if (s->f= req > SAMPLE_RATE_MAX) {
- =C2=A0 =C2=A0 =C2=A0 =C2=A0qemu_log_mask(L= OG_GUEST_ERROR,
- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0"sampling range too high: %d, decreasing to %u= \n",
- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0s->freq, SAMPLE_RATE_MAX);
- =C2=A0 =C2=A0 =C2=A0 = =C2=A0s->freq =3D SAMPLE_RATE_MAX;
- =C2=A0 =C2=A0}
+ =C2=A0 =C2= =A0s->freq =3D restrict_sampling_rate(s->freq);

=C2=A0 =C2=A0 = =C2=A0if (dma_len !=3D -1) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0s->blo= ck_size =3D dma_len << s->fmt_stereo;
@@ -768,7 +775,7 @@ stati= c void complete (SB16State *s)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 * and FT2 sets output freq with this (go figure).=C2=A0 Compare:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 * http://homepages.cae.wisc.edu/~brodskye/sb16doc/sb16doc.ht= ml#SamplingRate
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 */<= br>- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0s->freq =3D dsp_get_hilo (= s);
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0s->freq =3D restrict_s= ampling_rate(dsp_get_hilo(s));
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0ldebug ("set freq %d\n", s->freq);
=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0break;

diff --git a/tests/qtest/fuzz-= sb16-test.c b/tests/qtest/fuzz-sb16-test.c
index 51030cd..f47a8bc 100644=
--- a/tests/qtest/fuzz-sb16-test.c
+++ b/tests/qtest/fuzz-sb16-test.= c
@@ -37,6 +37,22 @@ static void test_fuzz_sb16_0x91(void)
=C2=A0 =C2= =A0 =C2=A0qtest_quit(s);
=C2=A0}

+/*
+ * This used to trigger = the assert in audio_calloc
+ * through command 0xd4
+ */
+static v= oid test_fuzz_sb16_0xd4(void)
+{
+ =C2=A0 =C2=A0QTestState *s =3D qte= st_init("-M pc -display none "
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 "-device sb16,audiodev=3Dnone "
+ =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 "-audiodev id=3Dnone,driver=3Dnone");
+ =C2=A0 =C2=A0qt= est_outb(s, 0x22c, 0x41);
+ =C2=A0 =C2=A0qtest_outb(s, 0x22c, 0x00);
= + =C2=A0 =C2=A0qtest_outb(s, 0x22c, 0x14);
+ =C2=A0 =C2=A0qtest_outb(s, = 0x22c, 0xd4);
+ =C2=A0 =C2=A0qtest_quit(s);
+}
+
=C2=A0int main= (int argc, char **argv)
=C2=A0{
=C2=A0 =C2=A0 =C2=A0const char *arch = =3D qtest_get_arch();
@@ -46,6 +62,7 @@ int main(int argc, char **argv)<= br>=C2=A0 =C2=A0 if (strcmp(arch, "i386") =3D=3D 0) {
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0qtest_add_func("fuzz/test_fuzz_sb16/1c"= ;, test_fuzz_sb16_0x1c);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0qtest_add_fun= c("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91);
+ =C2=A0 =C2= =A0 =C2=A0 =C2=A0qtest_add_func("fuzz/test_fuzz_sb16/d4", test_fu= zz_sb16_0xd4);
=C2=A0 =C2=A0 }

=C2=A0 =C2=A0 return g_test_run();=
--
2.7.4
--00000000000081135705c563ef65--