[src/trunk]: src/sys/dev spkr(4): Avoid some overflow issues.

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/bba5fe85dc72
branches:  trunk
changeset: 374091:bba5fe85dc72
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Mar 31 15:00:26 2023 +0000

description:
spkr(4): Avoid some overflow issues.

XXX pullup-8
XXX pullup-9
XXX pullup-10

Reported-by: syzbot+1a9980f3631bbd710ded%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=ea851fc4688cbac29a567cb49a4fd24d9afff426

Reported-by: syzbot+b4655f9c1734f886d610%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=b61236df29f595e38b12ee533b7b3275c8ec1865

diffstat:

 sys/dev/spkr.c |  14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diffs (56 lines):

diff -r aba5bd54b8b4 -r bba5fe85dc72 sys/dev/spkr.c
--- a/sys/dev/spkr.c    Fri Mar 31 13:03:05 2023 +0000
+++ b/sys/dev/spkr.c    Fri Mar 31 15:00:26 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: spkr.c,v 1.24 2022/09/24 23:16:37 thorpej Exp $        */
+/*     $NetBSD: spkr.c,v 1.25 2023/03/31 15:00:26 riastradh Exp $      */
 
 /*
  * Copyright (c) 1990 Eric S. Raymond (esr%snark.thyrsus.com@localhost)
@@ -43,7 +43,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: spkr.c,v 1.24 2022/09/24 23:16:37 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: spkr.c,v 1.25 2023/03/31 15:00:26 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "wsmux.h"
@@ -204,6 +204,7 @@ playtone(struct spkr_softc *sc, int note
                        rest(sc, total);
                return;
        }
+       KASSERTMSG(note < __arraycount(pitchtab), "note=%d", note);
 
        /*
         * Rest 1/8 (if NORMAL) or 3/8 (if STACCATO) in tick.
@@ -233,6 +234,10 @@ playstring(struct spkr_softc *sc, const 
 
 #define GETNUM(cp, v)  \
        for (v = 0; slen > 0 && isdigit((unsigned char)cp[1]); ) { \
+               if (v > INT_MAX/10 - (cp[1] - '0')) { \
+                       v = INT_MAX; \
+                       continue; \
+               } \
                v = v * 10 + (*++cp - '0'); \
                slen--; \
        }
@@ -320,6 +325,8 @@ playstring(struct spkr_softc *sc, const 
                                slen--;
                        } else {
                                GETNUM(cp, sc->sc_octave);
+                               KASSERTMSG(sc->sc_octave >= 0, "%d",
+                                   sc->sc_octave);
                                if (sc->sc_octave >= NOCTAVES)
                                        sc->sc_octave = DFLT_OCTAVE;
                                sc->sc_octprefix = true;
@@ -340,6 +347,9 @@ playstring(struct spkr_softc *sc, const 
 
                case 'N':
                        GETNUM(cp, pitch);
+                       KASSERTMSG(pitch >= 0, "pitch=%d", pitch);
+                       if (pitch >= __arraycount(pitchtab))
+                               break;
                        for (sustain = 0; slen > 0 && cp[1] == '.'; cp++) {
                                slen--;
                                sustain++;