qemu: Don't corrupt pointer in qemuDomainSaveMemory()

The code that was split out into the qemuDomainSaveMemory expands the
pointer containing the XML description of the domain that it gets from
higher layers. If the pointer changes the old one is invalid and the
upper layer function tries to free it causing an abort.

This patch changes the expansion of the original string to a new
allocation and copy of the contents.

src/qemu/qemu_driver.c

@@ -2768,7 +2768,7 @@ static int
 qemuDomainSaveMemory(struct qemud_driver *driver,
                      virDomainObjPtr vm,
                      const char *path,
-                     const char *xml,
+                     const char *domXML,
                      int compressed,
                      bool was_running,
                      unsigned int flags,
@@ -2785,6 +2785,7 @@ qemuDomainSaveMemory(struct qemud_driver *driver,
     unsigned long long pad;
     unsigned long long offset;
     size_t len;
+    char *xml = NULL;
 
     memset(&header, 0, sizeof(header));
     memcpy(header.magic, QEMUD_SAVE_PARTIAL, sizeof(header.magic));
@@ -2793,7 +2794,7 @@ qemuDomainSaveMemory(struct qemud_driver *driver,
 
     header.compressed = compressed;
 
-    len = strlen(xml) + 1;
+    len = strlen(domXML) + 1;
     offset = sizeof(header) + len;
 
     /* Due to way we append QEMU state on our header with dd,
@@ -2807,10 +2808,12 @@ qemuDomainSaveMemory(struct qemud_driver *driver,
     pad = 1024;
     pad += (QEMU_MONITOR_MIGRATE_TO_FILE_BS -
             ((offset + pad) % QEMU_MONITOR_MIGRATE_TO_FILE_BS));
-    if (VIR_EXPAND_N(xml, len, pad) < 0) {
+    if (VIR_ALLOC_N(xml, len + pad) < 0) {
         virReportOOMError();
         goto cleanup;
     }
+    strcpy(xml, domXML);
+
     offset += pad;
     header.xml_len = len;
 
@@ -2878,6 +2881,7 @@ cleanup:
     VIR_FORCE_CLOSE(fd);
     virFileWrapperFdCatchError(wrapperFd);
     virFileWrapperFdFree(wrapperFd);
+    VIR_FREE(xml);
 
     if (ret != 0 && needUnlink)
         unlink(path);