1. During CD probing, we read the TOC header to find the number of entries, then read the TOC itself. The header determines the number of entries, which determines the amount of data to read from the device into the softc in the CD_STATE_MEDIA_TOC_FULL state. We hard-code a limit of 99 tracks (plus one for the lead-out) in the softc, but were not validating that the size reported by the media would fit in this hard-coded limit. Kernel memory corruption would occur if not.[1] Add validation to check this.

2. The CDIOCPLAYTRACKS ioctl uses caller provided track numbers to index into the TOC, but we only validate the starting index. Add validation of the ending index.

Also, raise the hard-coded limit from 100 tracks to 170, per a
suggestion from Ken.

Reported by: C Turt <ecturt@gmail.com> [1]

I verified that I'm able to read the TOC from an audio CD as before. I tried
lowering the hard-coded limit to a small number and verified that we now
clear the CD_FLAG_VALID_TOC flag when probing a CD during boot, whereas
before we'd panic.