From: Daniel P. Berrange <berrange@redhat.com>
Date: Wed, 25 Sep 2013 08:34:25 +0000 (+0100)
Subject: Fix crash on OOM in virDomainSnapshotDefParse
X-Git-Tag: v1.1.3-rc1~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93ac954094ace84f491646b46d43cb9be4c570c0;p=thirdparty%2Flibvirt.git

Fix crash on OOM in virDomainSnapshotDefParse

The virDomainSnapshotDefParse method assigned to def->ndisks
before allocating def->disks. Thus if an OOM occurred, the
cleanup code would access out of bounds.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---

diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c
index 45d6af47d3..207a8fe710 100644
--- a/src/conf/snapshot_conf.c
+++ b/src/conf/snapshot_conf.c
@@ -303,9 +303,9 @@ virDomainSnapshotDefParse(xmlXPathContextPtr ctxt,
     if ((n = virXPathNodeSet("./disks/*", ctxt, &nodes)) < 0)
         goto cleanup;
     if (flags & VIR_DOMAIN_SNAPSHOT_PARSE_DISKS) {
-        def->ndisks = n;
-        if (def->ndisks && VIR_ALLOC_N(def->disks, def->ndisks) < 0)
+        if (n && VIR_ALLOC_N(def->disks, n) < 0)
             goto cleanup;
+        def->ndisks = n;
         for (i = 0; i < def->ndisks; i++) {
             if (virDomainSnapshotDiskDefParseXML(nodes[i], &def->disks[i]) < 0)
                 goto cleanup;