'virBitmapNewCopy()' allocates a new bitmap with the same number of bits
but uses the internal allocation length as argument for the memcpy()
operation to copy the bits. Due to bugs in other code these may not be
the same resulting into a buffer overflow if the source is
over-allocated. Use the buffer length of the target bitmap instead.
Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
---
src/util/virbitmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virbitmap.c b/src/util/virbitmap.c
index b8d0352bb1..a1a8c5d126 100644
--- a/src/util/virbitmap.c
+++ b/src/util/virbitmap.c
@@ -582,7 +582,7 @@ virBitmapNewCopy(virBitmap *src)
{
virBitmap *dst = virBitmapNew(src->nbits);
- memcpy(dst->map, src->map, src->map_len * sizeof(src->map[0]));
+ memcpy(dst->map, src->map, dst->map_len * sizeof(src->map[0]));
return dst;
}
--
2.47.0
