diff options
| author |   Jim Meyering <meyering@redhat.com> | 2012-05-07 21:22:09 +0200 |
|---|---|---|
| committer | Jim Meyering <meyering@redhat.com> | 2012-05-07 21:40:38 +0200 |
| commit | c6694ab85c207e51c6f39cd958c4323b636d8d8d (patch) | |
| tree | 7c4b4afa7728995e6a053b225c0cd1087843a2a5 /tools | |
| parent | util: set src_pid for virNetlinkCommand when appropriate (diff) | |
| download | libvirt-c6694ab85c207e51c6f39cd958c4323b636d8d8d.tar.gz libvirt-c6694ab85c207e51c6f39cd958c4323b636d8d8d.tar.bz2 libvirt-c6694ab85c207e51c6f39cd958c4323b636d8d8d.zip | |
virsh: avoid heap corruption leading to virsh abort
* tools/virsh.c (vshParseSnapshotDiskspec): Fix off-by-3 memmove
that would corrupt heap when parsing escaped --diskspec comma.
Bug introduced via commit v0.9.4-260-g35d52b5.
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/virsh.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/virsh.c b/tools/virsh.c index 1207ac9c5..dd9292a1f 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -16107,7 +16107,7 @@ vshParseSnapshotDiskspec(vshControl *ctl, virBufferPtr buf, const char *str) while ((tmp = strchr(tmp, ','))) { if (tmp[1] == ',') { /* Recognize ,, as an escape for a literal comma */ - memmove(&tmp[1], &tmp[2], len - (tmp - spec) + 2); + memmove(&tmp[1], &tmp[2], len - (tmp - spec) - 2 + 1); len--; tmp++; continue; |