From: Jiri Denemark <jdenemar@redhat.com>
Date: Mon, 13 Feb 2017 08:32:21 +0000 (+0100)
Subject: qemu_monitor_json: Properly check GetArray return value
X-Git-Tag: CVE-2017-2635~110
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=598b6d79997421da33aefc98f5f5889cf9798b1b;p=thirdparty%2Flibvirt.git

qemu_monitor_json: Properly check GetArray return value

Commit 2a8d40f4ec refactored qemuMonitorJSONGetCPUx86Data and replaced
virJSONValueObjectGet(reply, "return") with virJSONValueObjectGetArray.
While the former is guaranteed to always return non-NULL pointer the
latter may return NULL if the returned JSON object is not an array.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---

diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index e30b72cd40..1d281af48e 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -6554,7 +6554,7 @@ qemuMonitorJSONParseCPUx86Features(virJSONValuePtr data,
     ssize_t n;
     int ret = -1;
 
-    if ((n = virJSONValueArraySize(data)) < 0) {
+    if (!data || (n = virJSONValueArraySize(data)) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                        _("invalid array of CPUID features"));
         return -1;
@@ -6644,9 +6644,8 @@ qemuMonitorJSONCheckCPUx86(qemuMonitorPtr mon)
     if (qemuMonitorJSONCheckError(cmd, reply))
         goto cleanup;
 
-    data = virJSONValueObjectGetArray(reply, "return");
-
-    if ((n = virJSONValueArraySize(data)) < 0) {
+    if (!(data = virJSONValueObjectGetArray(reply, "return")) ||
+        (n = virJSONValueArraySize(data)) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                        _("qom-list reply data was not an array"));
         goto cleanup;