After 457ff97fa there are two defects in our code. In both of them we use a signed variable to hold up a number of snapshots that domain has. We use a helper function to count the number. However, the helper function may fail in which case it returns a negative one and control jumps to cleanup label where an unsigned variable is used to iterate over array of snapshots. The loop condition thus compare signed and unsigned variables which in this specific case ends up badly for us. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/vbox/vbox_common.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/vbox/vbox_common.c b/src/vbox/vbox_common.c index 5302d1c..8c00a4f 100644 --- a/src/vbox/vbox_common.c +++ b/src/vbox/vbox_common.c @@ -5507,11 +5507,10 @@ vboxDomainSnapshotGet(vboxGlobalData *data, ISnapshot **snapshots = NULL; ISnapshot *snapshot = NULL; nsresult rc; - int count = 0; - size_t i; + ssize_t i, count = 0; if ((count = vboxDomainSnapshotGetAll(dom, machine, &snapshots)) < 0) - goto cleanup; + return NULL; for (i = 0; i < count; i++) { PRUnichar *nameUtf16; @@ -6188,8 +6187,7 @@ static int vboxDomainSnapshotListNames(virDomainPtr dom, char **names, IMachine *machine = NULL; nsresult rc; ISnapshot **snapshots = NULL; - int count = 0; - size_t i; + ssize_t i, count = 0; int ret = -1; if (!data->vboxObj) -- 2.4.10

After 6604a3dd9f8 in which new helper function has been introduced, the code calls virStringReplace and dereference the result immediately. The string function can, however, return NULL so this would SIGSEGV right away. Check for the return value of the string function. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/xenconfig/xen_xl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/xenconfig/xen_xl.c b/src/xenconfig/xen_xl.c index 585ef9b..e65f5c6 100644 --- a/src/xenconfig/xen_xl.c +++ b/src/xenconfig/xen_xl.c @@ -254,7 +254,12 @@ xenParseXLDiskSrc(virDomainDiskDefPtr disk, char *srcstr) int ret = -1; if (STRPREFIX(srcstr, "rbd:")) { - tmpstr = virStringReplace(srcstr, "\\\\", "\\"); + if (!(tmpstr = virStringReplace(srcstr, "\\\\", "\\"))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unable to parse disk source string: %s"), + srcstr); + goto cleanup; + } virDomainDiskSetType(disk, VIR_STORAGE_TYPE_NETWORK); disk->src->protocol = VIR_STORAGE_NET_PROTOCOL_RBD; -- 2.4.10

There's this check when building command line that whenever domain has no graphics card configured we put -nographics onto qemu command line. The check is 'if (!def->graphics)'. This makes coverity think that def->graphics can be NULL, which is true. But later in the code every access to def->graphics is guarded by check for def->ngraphics, so no crash occurs. But this is something that coverity fails to deduct. In order to shut coverity up lets change the condition to 'if (!def->ngraphics)'. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/qemu/qemu_command.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 78423e7..854e51c 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7130,7 +7130,7 @@ qemuBuildCommandLine(virConnectPtr conn, * if you ask for nographic. So we have to make sure we override * these defaults ourselves... */ - if (!def->graphics) { + if (!def->ngraphics) { virCommandAddArg(cmd, "-nographic"); if (cfg->nogfxAllowHostAudio) -- 2.4.10