From 93ac954094ace84f491646b46d43cb9be4c570c0 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Wed, 25 Sep 2013 09:34:25 +0100
Subject: [PATCH] Fix crash on OOM in virDomainSnapshotDefParse

The virDomainSnapshotDefParse method assigned to def->ndisks
before allocating def->disks. Thus if an OOM occurred, the
cleanup code would access out of bounds.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 src/conf/snapshot_conf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c
index 45d6af47d3..207a8fe710 100644
--- a/src/conf/snapshot_conf.c
+++ b/src/conf/snapshot_conf.c
@@ -303,9 +303,9 @@ virDomainSnapshotDefParse(xmlXPathContextPtr ctxt,
     if ((n = virXPathNodeSet("./disks/*", ctxt, &nodes)) < 0)
         goto cleanup;
     if (flags & VIR_DOMAIN_SNAPSHOT_PARSE_DISKS) {
-        def->ndisks = n;
-        if (def->ndisks && VIR_ALLOC_N(def->disks, def->ndisks) < 0)
+        if (n && VIR_ALLOC_N(def->disks, n) < 0)
             goto cleanup;
+        def->ndisks = n;
         for (i = 0; i < def->ndisks; i++) {
             if (virDomainSnapshotDiskDefParseXML(nodes[i], &def->disks[i]) < 0)
                 goto cleanup;