On 07/05/2013 11:37 AM, Laine Stump wrote: > On 07/05/2013 02:23 AM, Gonglei (Arei) wrote: >> In the for loop, the if condition is always true, and will execute memmove. >> But it will cause the list->devs[i+1] overflow while i equals list->count-1. >> >> Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx> >> --- >> src/util/virusb.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/src/util/virusb.c b/src/util/virusb.c >> index d34e44f..30d0b12 100644 >> --- a/src/util/virusb.c >> +++ b/src/util/virusb.c >> @@ -497,7 +497,7 @@ virUSBDeviceListSteal(virUSBDeviceListPtr list, >> >> ret = list->devs[i]; >> >> - if (i != list->count--) >> + if (i != --list->count) >> memmove(&list->devs[i], >> &list->devs[i+1], >> sizeof(*list->devs) * (list->count - i)); > This function is a good candidate for switching to VIR_DELETE_ELEMENT() > instead. This will eliminate the bug that you found while making the > code much shorter. I have a patch for that sitting around, I'll rebase > it and post it. Posted here: https://www.redhat.com/archives/libvir-list/2013-July/msg00336.html (I forgot to mention it in that patch, but it assumes Michal's "eliminate virReportOOMError()" patches have all been pushed.) -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list