From: Jim Meyering <meyering@redhat.com>
Date: Mon, 7 May 2012 19:22:09 +0000 (+0200)
Subject: virsh: avoid heap corruption leading to virsh abort
X-Git-Tag: v0.9.11.4~95
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f755aa2957a31bbf09ab9afea7063f13de40d7b;p=thirdparty%2Flibvirt.git

virsh: avoid heap corruption leading to virsh abort

* tools/virsh.c (vshParseSnapshotDiskspec): Fix off-by-3 memmove
that would corrupt heap when parsing escaped --diskspec comma.
Bug introduced via commit v0.9.4-260-g35d52b5.
(cherry picked from commit c6694ab85c207e51c6f39cd958c4323b636d8d8d)
---

diff --git a/tools/virsh.c b/tools/virsh.c
index 032c8bf4ae..3c19346fc4 100644
--- a/tools/virsh.c
+++ b/tools/virsh.c
@@ -15800,7 +15800,7 @@ vshParseSnapshotDiskspec(vshControl *ctl, virBufferPtr buf, const char *str)
     while ((tmp = strchr(tmp, ','))) {
         if (tmp[1] == ',') {
             /* Recognize ,, as an escape for a literal comma */
-            memmove(&tmp[1], &tmp[2], len - (tmp - spec) + 2);
+            memmove(&tmp[1], &tmp[2], len - (tmp - spec) - 2 + 1);
             len--;
             tmp++;
             continue;