Fix allocation of arglist in qemuStringToArgvEnv

In

  commit 41b550567918790cb304378f39c3ba369bcca28e
  Author: Eric Blake <eblake@redhat.com>
  Date:   Wed Aug 28 15:01:23 2013 -0600

    qemu: simplify list cleanup

The qemuStringToArgvEnv method was changed to use virStringFreeList
to free the 'arglist' array. This method assumes the string list
array is NULL terminated, however, qemuStringToArgvEnv was not
ensuring this when populating 'arglist'. This caused an out of
bounds access by virStringFreeList when OOM occured in the initial
loop of qemuStringToArgvEnv

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 1819bf6ac12a43701f57a85ecb7bfad539e24dc3..4c55b085c7ebed459180f9d26c2684ba872b3ec7 100644 (file)
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9656,9 +9656,9 @@ static int qemuStringToArgvEnv(const char *args,
                                char ***retargv)
 {
     char **arglist = NULL;
-    int argcount = 0;
-    int argalloc = 0;
-    int envend;
+    size_t argcount = 0;
+    size_t argalloc = 0;
+    size_t envend;
     size_t i;
     const char *curr = args;
     const char *start;
@@ -9695,15 +9695,13 @@ static int qemuStringToArgvEnv(const char *args,
         if (next && (*next == '\'' || *next == '"'))
             next++;
 
-        if (argalloc == argcount) {
-            if (VIR_REALLOC_N(arglist, argalloc+10) < 0) {
-                VIR_FREE(arg);
-                goto error;
-            }
-            argalloc+=10;
+        if (VIR_RESIZE_N(arglist, argalloc, argcount, 2) < 0) {
+            VIR_FREE(arg);
+            goto error;
         }
 
         arglist[argcount++] = arg;
+        arglist[argcount] = NULL;
 
         while (next && c_isspace(*next))
             next++;