Fix crash on OOM in virDomainSnapshotDefParse

The virDomainSnapshotDefParse method assigned to def->ndisks
before allocating def->disks. Thus if an OOM occurred, the
cleanup code would access out of bounds.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c
index 45d6af47d3bf53447946c9738a7113e62c1c5e68..207a8fe7104f6d969c4a72d636b6beb25ae55e9f 100644 (file)
--- a/src/conf/snapshot_conf.c
+++ b/src/conf/snapshot_conf.c
@@ -303,9 +303,9 @@ virDomainSnapshotDefParse(xmlXPathContextPtr ctxt,
     if ((n = virXPathNodeSet("./disks/*", ctxt, &nodes)) < 0)
         goto cleanup;
     if (flags & VIR_DOMAIN_SNAPSHOT_PARSE_DISKS) {
-        def->ndisks = n;
-        if (def->ndisks && VIR_ALLOC_N(def->disks, def->ndisks) < 0)
+        if (n && VIR_ALLOC_N(def->disks, n) < 0)
             goto cleanup;
+        def->ndisks = n;
         for (i = 0; i < def->ndisks; i++) {
             if (virDomainSnapshotDiskDefParseXML(nodes[i], &def->disks[i]) < 0)
                 goto cleanup;