From b47727460edc1bd5094a7fbfff8977d5f07cabae Mon Sep 17 00:00:00 2001
From: w00506750 <hogan.wang@huawei.com>
Date: Thu, 29 Apr 2021 15:58:59 +0800
Subject: iothread: fix memory access out of bounds

When the 'pcpu' is larger then the last 'iothr->cpumap' bits,
set the list element to False to avoid out of bounds access
'iothr->cpumap'.

Signed-off-by: suruifeng <suruifeng@huawei.com>
Reviewed-by: Hogan Wang <hogan.wang@huawei.com>
---
 libvirt-override.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'libvirt-override.c')

diff --git a/libvirt-override.c b/libvirt-override.c
index 3c55e7e..ee0c4eb 100644
--- a/libvirt-override.c
+++ b/libvirt-override.c
@@ -1625,10 +1625,14 @@ libvirt_virDomainGetIOThreadInfo(PyObject *self ATTRIBUTE_UNUSED,
         VIR_PY_TUPLE_SET_GOTO(iothrtpl, 1, iothrmap, cleanup);
 
         for (pcpu = 0; pcpu < cpunum; pcpu++)
-            VIR_PY_LIST_SET_GOTO(iothrmap, pcpu,
-                                 PyBool_FromLong(VIR_CPU_USED(iothr->cpumap,
-                                                              pcpu)),
-                                 cleanup);
+            if (VIR_CPU_MAPLEN(pcpu + 1) > iothr->cpumaplen) {
+                VIR_PY_LIST_SET_GOTO(iothrmap, pcpu, PyBool_FromLong(0), cleanup);
+            } else {
+                VIR_PY_LIST_SET_GOTO(iothrmap, pcpu,
+                                     PyBool_FromLong(VIR_CPU_USED(iothr->cpumap,
+                                                                  pcpu)),
+                                     cleanup);
+            }
     }
 
     py_retval = py_iothrinfo;
-- 
cgit v1.2.1