Skip to content
  • Qiuhao Li's avatar
    reds: fix nullptr deref in red-parse-qxl.cpp · 1fae1191
    Qiuhao Li authored and Frediano Ziglio's avatar Frediano Ziglio committed
    At red-parse-qxl.cpp#L535
            if (qxl_flags & QXL_BITMAP_DIRECT) {
                red-> = red_get_image_data_flat(slots, group_id,
    Since qxl-> may from the guest, an attacker can make the
    memslot_get_virt() check in red_get_image_data_flat() fail and
    return a nullptr.
    Then at red-parse-qxl.cpp#L550
            if (qxl_flags & QXL_BITMAP_UNSTABLE) {
                red->>flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
    qxl_flags is assigned as qxl->bitmap.flags before, which can also be
    controlled by the attacker, resulting in a NULL pointer dereference.
    This dereference seems to be introduced by commit 5ac88aa7
    Signed-off-by: default avatarQiuhao Li <>