virBitmapNewCopy: Honor sizes of either bitmap when doing memcpy()

'virBitmapNewCopy()' allocates a new bitmap with the same number of bits
but uses the internal allocation length as argument for the memcpy()
operation to copy the bits. Due to bugs in other code these may not be
the same resulting into a buffer overflow if the source is
over-allocated. Use the buffer length of the target bitmap instead.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

diff --git a/src/util/virbitmap.c b/src/util/virbitmap.c
index b8d0352bb1216d9cc5425d76ba393f854dbdb1eb..a1a8c5d1269f702e6ebcf293c5264e6832c7b990 100644 (file)
--- a/src/util/virbitmap.c
+++ b/src/util/virbitmap.c
@@ -582,7 +582,7 @@ virBitmapNewCopy(virBitmap *src)
 {
     virBitmap *dst = virBitmapNew(src->nbits);
 
-    memcpy(dst->map, src->map, src->map_len * sizeof(src->map[0]));
+    memcpy(dst->map, src->map, dst->map_len * sizeof(src->map[0]));
 
     return dst;
 }