From 150c1db52b1c037efcee8ec728d01331901d0cd6 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Mon, 23 Sep 2013 14:14:04 +0100 Subject: [PATCH] Fix allocation of arglist in qemuStringToArgvEnv In commit 41b550567918790cb304378f39c3ba369bcca28e Author: Eric Blake Date: Wed Aug 28 15:01:23 2013 -0600 qemu: simplify list cleanup The qemuStringToArgvEnv method was changed to use virStringFreeList to free the 'arglist' array. This method assumes the string list array is NULL terminated, however, qemuStringToArgvEnv was not ensuring this when populating 'arglist'. This caused an out of bounds access by virStringFreeList when OOM occured in the initial loop of qemuStringToArgvEnv Signed-off-by: Daniel P. Berrange --- src/qemu/qemu_command.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 1819bf6ac1..4c55b085c7 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9656,9 +9656,9 @@ static int qemuStringToArgvEnv(const char *args, char ***retargv) { char **arglist = NULL; - int argcount = 0; - int argalloc = 0; - int envend; + size_t argcount = 0; + size_t argalloc = 0; + size_t envend; size_t i; const char *curr = args; const char *start; @@ -9695,15 +9695,13 @@ static int qemuStringToArgvEnv(const char *args, if (next && (*next == '\'' || *next == '"')) next++; - if (argalloc == argcount) { - if (VIR_REALLOC_N(arglist, argalloc+10) < 0) { - VIR_FREE(arg); - goto error; - } - argalloc+=10; + if (VIR_RESIZE_N(arglist, argalloc, argcount, 2) < 0) { + VIR_FREE(arg); + goto error; } arglist[argcount++] = arg; + arglist[argcount] = NULL; while (next && c_isspace(*next)) next++; -- GitLab