Signed-off-by: Alon Levy <al...@redhat.com>
---
hw/qxl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/qxl.c b/hw/qxl.c
index 1b47ed3..620b476 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -453,6 +453,16 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct
QXLCommandExt *ext)
cmd->u.surface_create.stride);
return 1;
}
+ if (cmd->type == QXL_SURFACE_CMD_CREATE) {
+ intptr_t surface_offset = (intptr_t)qxl_phys2virt(qxl,
+
cmd->u.surface_create.data,
+ MEMSLOT_GROUP_GUEST);
+ if (!surface_offset) {
+ qxl_set_guest_bug(qxl, "QXL_CMD_SURFACE invalid data: %ld\n",
+ cmd->u.surface_create.data);
+ return 1;
+ }
+ }
qemu_mutex_lock(&qxl->track_lock);
if (cmd->type == QXL_SURFACE_CMD_CREATE) {
qxl->guest_surfaces.cmds[id] = ext->cmd.data;
--
1.7.12.1
