qemuBlockJobProcessEventCompletedPull: Avoid dangling pointer after blockpull

When doing a full block pull job (base == NULL) and the config XML
contains a compatible disk, the completer function would leave a
dangling pointer in 'cfgdisk->src->backingStore' as cfgdisk->src would
be set to the value of 'cfgbase' which was always set to
'cfgdisk->src->backingStore'.

This is wrong though since for the live definition XML we set the
respective counterpart to 'job->data.pull.base' which is NULL in the
above scenario.

This leads to a invalid pointer read when saving the config XML and may
end up in a crash.

Resolve it by setting 'cfgbase' only when 'job->data.pull.base' is
non-NULL.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1946918
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

src/qemu/qemu_blockjob.c

@@ -1005,10 +1005,7 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPtr driver,
     if (!job->disk)
         return;
 
-    if ((cfgdisk = qemuBlockJobGetConfigDisk(vm, job->disk, job->data.pull.base)))
-        cfgbase = cfgdisk->src->backingStore;
-
-    if (!cfgdisk)
+    if (!(cfgdisk = qemuBlockJobGetConfigDisk(vm, job->disk, job->data.pull.base)))
         qemuBlockJobClearConfigChain(vm, job->disk);
 
     qemuBlockJobProcessEventCompletedPullBitmaps(vm, job, asyncJob);
@@ -1018,6 +1015,8 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPtr driver,
         return;
 
     if (job->data.pull.base) {
+        if (cfgdisk)
+            cfgbase = cfgdisk->src->backingStore;
         for (n = job->disk->src->backingStore; n && n != job->data.pull.base; n = n->backingStore) {
             /* find the image on top of 'base' */