conf: check the return value of virXPathNodeSet

In a few places, the return value could get passed to VIR_ALLOC_N without
being checked, resulting in a request to allocate a lot of memory if the
return value was negative.

src/conf/domain_conf.c

@@ -3258,7 +3258,9 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
     saved_node = ctxt->node;
 
     /* Allocate a security labels based on XML */
-    if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) == 0)
+    if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) < 0)
+        goto error;
+    if (n == 0)
         return 0;
 
     if (VIR_ALLOC_N(def->seclabels, n) < 0) {
@@ -3345,7 +3347,9 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
     virSecurityLabelDefPtr vmDef = NULL;
     char *model, *relabel, *label;
 
-    if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) == 0)
+    if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) < 0)
+        goto error;
+    if (n == 0)
         return 0;
 
     if (VIR_ALLOC_N(seclabels, n) < 0) {

src/conf/storage_conf.c

@@ -479,6 +479,7 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt,
     virStoragePoolOptionsPtr options;
     char *name = NULL;
     char *port = NULL;
+    int n;
 
     relnode = ctxt->node;
     ctxt->node = node;
@@ -510,7 +511,9 @@ virStoragePoolDefParseSource(xmlXPathContextPtr ctxt,
         VIR_FREE(format);
     }
 
-    source->nhost = virXPathNodeSet("./host", ctxt, &nodeset);
+    if ((n = virXPathNodeSet("./host", ctxt, &nodeset)) < 0)
+        goto cleanup;
+    source->nhost = n;
 
     if (source->nhost) {
         if (VIR_ALLOC_N(source->hosts, source->nhost) < 0) {