reds: fix nullptr deref in red-parse-qxl.cpp

At red-parse-qxl.cpp#L535

        if (qxl_flags & QXL_BITMAP_DIRECT) {
            red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                         qxl->bitmap.data,
                                                         bitmap_size);

Since qxl->bitmap.data may from the guest, an attacker can make the
memslot_get_virt() check in red_get_image_data_flat() fail and
return a nullptr.

Then at red-parse-qxl.cpp#L550

        if (qxl_flags & QXL_BITMAP_UNSTABLE) {
            red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
        }

qxl_flags is assigned as qxl->bitmap.flags before, which can also be
controlled by the attacker, resulting in a NULL pointer dereference.

This dereference seems to be introduced by commit 5ac88aa7.

Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
12 jobs for master in 18 minutes and 12 seconds (queued for 2 seconds)
Status Job ID Name Coverage
  Test
passed #9147818
check-valgrind

00:13:14

passed #9147820
distcheck

00:05:08

passed #9147814
makecheck

00:07:56

passed #9147821
makecheck-centos

00:06:32

passed #9147822
makecheck-debian32

00:04:24

passed #9147823
makecheck-windows

00:09:33

passed #9147815
meson-makecheck

00:02:59

passed #9147817
meson-options

00:01:59

passed #9147816
options

00:06:32

passed #9147819
syntax-check

00:03:52

passed #9441539
websocket-autobahn

00:04:57

failed #9147824
websocket-autobahn

00:02:55