qemu: Fix possible infinite loop and segfault on error path.

virDomainVcpuPinDefCopy when the control flow reaches out of memory
cleanup code, the flow would end in a infinite loop as the loop variable
wasn't decremented.

Also a dereference of NULL pointers was possible if allocation of the
Vcpu pinning definiton structure failed.

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 224aec51dc05c3f5552530534c17993a25f9a8bc..2dad64dca06792096987c02c3fbd7e01f2b52ebb 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1496,7 +1496,7 @@ virDomainVcpuPinDefPtr *
 virDomainVcpuPinDefCopy(virDomainVcpuPinDefPtr *src, int nvcpupin)
 {
     int i = 0;
-    virDomainVcpuPinDefPtr *ret;
+    virDomainVcpuPinDefPtr *ret = NULL;
 
     if (VIR_ALLOC_N(ret, nvcpupin) < 0) {
         goto no_memory;
@@ -1514,11 +1514,15 @@ virDomainVcpuPinDefCopy(virDomainVcpuPinDefPtr *src, int nvcpupin)
     return ret;
 
 no_memory:
-    while (i >= 0) {
-        VIR_FREE(ret[i]->cpumask);
-        VIR_FREE(ret[i]);
+    if (ret) {
+        for ( ; i >= 0; --i) {
+            if (ret[i]) {
+                VIR_FREE(ret[i]->cpumask);
+                VIR_FREE(ret[i]);
+            }
+        }
+        VIR_FREE(ret);
     }
-    VIR_FREE(ret);
     virReportOOMError();
 
     return NULL;