reds: fix nullptr deref in red-parse-qxl.cpp

At red-parse-qxl.cpp#L535

        if (qxl_flags & QXL_BITMAP_DIRECT) {
            red-> = red_get_image_data_flat(slots, group_id,

Since qxl-> may from the guest, an attacker can make the
memslot_get_virt() check in red_get_image_data_flat() fail and
return a nullptr.

Then at red-parse-qxl.cpp#L550

        if (qxl_flags & QXL_BITMAP_UNSTABLE) {
            red->>flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;

qxl_flags is assigned as qxl->bitmap.flags before, which can also be
controlled by the attacker, resulting in a NULL pointer dereference.

This dereference seems to be introduced by commit 5ac88aa7.

Signed-off-by: Qiuhao Li <>
12 jobs for master in 18 minutes and 12 seconds (queued for 2 seconds)