]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
virsh: avoid heap corruption leading to virsh abort
authorJim Meyering <meyering@redhat.com>
Mon, 7 May 2012 19:22:09 +0000 (21:22 +0200)
committerCole Robinson <crobinso@redhat.com>
Thu, 14 Jun 2012 21:03:58 +0000 (17:03 -0400)
* tools/virsh.c (vshParseSnapshotDiskspec): Fix off-by-3 memmove
that would corrupt heap when parsing escaped --diskspec comma.
Bug introduced via commit v0.9.4-260-g35d52b5.
(cherry picked from commit c6694ab85c207e51c6f39cd958c4323b636d8d8d)

tools/virsh.c

index 032c8bf4ae2b965daf0a47d369621aea7a976ace..3c19346fc44492978a7c878a4b9e3d5ff4fdbe6a 100644 (file)
@@ -15800,7 +15800,7 @@ vshParseSnapshotDiskspec(vshControl *ctl, virBufferPtr buf, const char *str)
     while ((tmp = strchr(tmp, ','))) {
         if (tmp[1] == ',') {
             /* Recognize ,, as an escape for a literal comma */
-            memmove(&tmp[1], &tmp[2], len - (tmp - spec) + 2);
+            memmove(&tmp[1], &tmp[2], len - (tmp - spec) - 2 + 1);
             len--;
             tmp++;
             continue;