An integer overflow in the cursor_alloc() function of the QXL display device emulation can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow.