-
At red-parse-qxl.cpp#L535 if (qxl_flags & QXL_BITMAP_DIRECT) { red->u.bitmap.data = red_get_image_data_flat(slots, group_id, qxl->bitmap.data, bitmap_size); Since qxl->bitmap.data may from the guest, an attacker can make the memslot_get_virt() check in red_get_image_data_flat() fail and return a nullptr. Then at red-parse-qxl.cpp#L550 if (qxl_flags & QXL_BITMAP_UNSTABLE) { red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE; } qxl_flags is assigned as qxl->bitmap.flags before, which can also be controlled by the attacker, resulting in a NULL pointer dereference. This dereference seems to be introduced by commit 5ac88aa7 . Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
1fae1191