On 05/07/2012 01:29 PM, Jim Meyering wrote:
Investigating a build problem reported by Laine,
I was surprised to see "make check" fail on F17 due to a
glibc invalid free abort. Ok to push to master?
>From 61a559e0b2f4bded3059c5be7c958e2276f7fd16 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering(a)redhat.com>
Date: Mon, 7 May 2012 21:22:09 +0200
Subject: [PATCH] virsh: avoid heap corruption leading to virsh abort
* tools/virsh.c (vshParseSnapshotDiskspec): Fix off-by-3 memmove
that would corrupt heap when parsing escaped --diskspec comma.
Bug introduced via commit v0.9.4-260-g35d52b5.
---
tools/virsh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/virsh.c b/tools/virsh.c
index 1207ac9..dd9292a 100644
--- a/tools/virsh.c
+++ b/tools/virsh.c
@@ -16107,7 +16107,7 @@ vshParseSnapshotDiskspec(vshControl *ctl, virBufferPtr buf, const
char *str)
while ((tmp = strchr(tmp, ','))) {
if (tmp[1] == ',') {
/* Recognize ,, as an escape for a literal comma */
- memmove(&tmp[1], &tmp[2], len - (tmp - spec) + 2);
+ memmove(&tmp[1], &tmp[2], len - (tmp - spec) - 2 + 1);
ACK.
/me crawls in a hole for introducing that bug
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org