qxl-render: add sanity check

Verify dirty rectangle is completely within the primary surface,
just ignore it in case it isn't.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index 84f1367716..cc2c2b1dbc 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -138,6 +138,12 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
         if (qemu_spice_rect_is_empty(qxl->dirty+i)) {
             break;
         }
+        if (qxl->dirty[i].left > qxl->dirty[i].right ||
+            qxl->dirty[i].top > qxl->dirty[i].bottom ||
+            qxl->dirty[i].right > qxl->guest_primary.surface.width ||
+            qxl->dirty[i].bottom > qxl->guest_primary.surface.height) {
+            continue;
+        }
         qxl_blit(qxl, qxl->dirty+i);
         dpy_gfx_update(vga->con,
                        qxl->dirty[i].left, qxl->dirty[i].top,