diff --git a/server/memslot.c b/server/memslot.c
index c2931321..97311b2e 100644
--- a/server/memslot.c
+++ b/server/memslot.c
@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
 
     MemSlot *slot;
 
-    if (group_id > info->num_memslots_groups) {
+    if (group_id >= info->num_memslots_groups) {
         spice_critical("group_id too big");
         return NULL;
     }
 
     slot_id = memslot_get_id(info, addr);
-    if (slot_id > info->num_memslots) {
+    if (slot_id >= info->num_memslots) {
         print_memslots(info);
         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
         return NULL;
diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
index 324f7fdc..edccfee4 100644
--- a/server/tests/test-qxl-parsing.c
+++ b/server/tests/test-qxl-parsing.c
@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
     g_free(from_physical(qxl->u.surface_create.data));
 }
 
+static void test_memslot_invalid_group_id(void)
+{
+    RedMemSlotInfo mem_info;
+    init_meminfo(&mem_info);
+
+    memslot_get_virt(&mem_info, 0, 16, 1);
+}
+
+static void test_memslot_invalid_slot_id(void)
+{
+    RedMemSlotInfo mem_info;
+    init_meminfo(&mem_info);
+
+    memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0);
+}
+
+static void test_memslot_invalid_addresses(void)
+{
+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
+    g_test_trap_assert_stderr("*group_id too big*");
+
+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
+    g_test_trap_assert_stderr("*slot_id 1 too big*");
+}
+
 static void test_no_issues(void)
 {
     RedMemSlotInfo mem_info;
@@ -269,6 +294,11 @@ int main(int argc, char *argv[])
 {
     g_test_init(&argc, &argv, NULL);
 
+    /* try to use invalid memslot group/slot */
+    g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
+
     /* try to create a surface with no issues, should succeed */
     g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);