surface_id is a field for many QXL commands (commands that a guest can freely craft and send). Particularly are used to create and destroy new surfaces. This field is used as an index for a static allocated array. In different paths, the value passes without being stopped (in many cases it just give some warnings if enabled) so you can corrupt memory very easily. A client can be modified to produce memory corruption. Although it is not easy to write specific data at a specific offset, it is still possible to write some value at some offset (dirtying near data). This means that the problem can be used for heap corruption which is usually exploitable.
Created spice tracking bugs for this issue: Affects: fedora-all [bug 1260908]
Acknowledgements: This issue was discovered by Frediano Ziglio of Red Hat.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html