From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
The virDomainSnapshotDefParse method assigned to def->ndisks
before allocating def->disks. Thus if an OOM occurred, the
cleanup code would access out of bounds.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/conf/snapshot_conf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c
index 45d6af4..207a8fe 100644
--- a/src/conf/snapshot_conf.c
+++ b/src/conf/snapshot_conf.c
@@ -303,9 +303,9 @@ virDomainSnapshotDefParse(xmlXPathContextPtr ctxt,
if ((n = virXPathNodeSet("./disks/*", ctxt, &nodes)) < 0)
goto cleanup;
if (flags & VIR_DOMAIN_SNAPSHOT_PARSE_DISKS) {
- def->ndisks = n;
- if (def->ndisks && VIR_ALLOC_N(def->disks, def->ndisks) < 0)
+ if (n && VIR_ALLOC_N(def->disks, n) < 0)
goto cleanup;
+ def->ndisks = n;
for (i = 0; i < def->ndisks; i++) {
if (virDomainSnapshotDiskDefParseXML(nodes[i], &def->disks[i]) < 0)
goto cleanup;
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list