An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
Only real reference is Redhat's bug, unmerged patch is here:
.. though, upstream seems to think this isn't a real security bug since ati-vga is clearly experimental.