I/O writes make cirrus_invalidate_region() crash

As of commit d19f1ab0, LLVM libFuzzer found:

qemu-fuzz-i386: hw/display/cirrus_vga.c:646: void cirrus_invalidate_region(CirrusVGAState *, int, int, int, int): Assertion `off_cur_end >= off_cur' failed.
==1336555== ERROR: libFuzzer: deadly signal
    #0 0xaaaaaf943ce4 in __sanitizer_print_stack_trace
    #1 0xaaaaaf899474 in fuzzer::PrintStackTrace()
    #2 0xaaaaaf884c80 in fuzzer::Fuzzer::CrashCallback()
    #3 0xffff9b4e8568 (linux-vdso.so.1+0x568)
    #4 0xffff99ac406c in __libc_signal_restore_set /build/glibc-w4ZToO/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
    #5 0xffff99ac406c in raise /build/glibc-w4ZToO/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
    #6 0xffff99ab0d64 in abort /build/glibc-w4ZToO/glibc-2.31/stdlib/abort.c:79:7
    #7 0xffff99abd5d8 in __assert_fail_base /build/glibc-w4ZToO/glibc-2.31/assert/assert.c:92:3
    #8 0xffff99abd640 in __assert_fail /build/glibc-w4ZToO/glibc-2.31/assert/assert.c:101:3
    #9 0xaaaab040768c in cirrus_invalidate_region
    #10 0xaaaab0405404 in cirrus_bitblt_solidfill
    #11 0xaaaab0402a88 in cirrus_bitblt_start
    #12 0xaaaab04046a8 in cirrus_write_bitblt
    #13 0xaaaab0400db4 in cirrus_vga_write_gr
    #14 0xaaaab03fd33c in cirrus_vga_ioport_write
    #15 0xaaaaafb41674 in memory_region_write_accessor
    #16 0xaaaaafb411ec in access_with_adjusted_size
    #17 0xaaaaafb40180 in memory_region_dispatch_write
    #18 0xaaaaaf995dfc in flatview_write_continue
    #19 0xaaaaaf985bd8 in flatview_write
    #20 0xaaaaaf98574c in address_space_write
    #21 0xaaaab110510c in ioport_fuzz_qtest
    #22 0xaaaab1103a48 in i440fx_fuzz_qtest
    #23 0xaaaab11010d8 in LLVMFuzzerTestOneInput

Reproducer:

qemu-system-i386 -M isapc,accel=qtest -vga cirrus -qtest stdio << 'EOF'
outl 0x03b1 0x2fdc1001
outb 0x03cc 0xe
outb 0x03cc 0xe
outb 0x03cc 0x2f
outb 0x03cc 0xe
outb 0x03cc 0x2f
outb 0x03cc 0xe
outl 0x03cc 0xedc100e
outb 0x03cc 0x2f
outl 0x03cc 0xe24f40e
outl 0x03cc 0x2f23dc12
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0xe2af40e
outl 0x03cc 0x2f235612
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0x2fdcf40e
outb 0x03cc 0xe
outl 0x03cc 0xedc100e
outb 0x03cc 0x2f
outl 0x03cc 0xe24f40e
outl 0x03cc 0xe23dc12
outb 0x03cc 0x2f
outl 0x03cc 0xedc100e
outl 0x03cc 0x2fdc400e
outb 0x03cc 0xe
outl 0x03cc 0xe130100e
outb 0x03cc 0x2f
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0xe33f40e
outl 0x03cc 0xdc235612
outb 0x03cc 0xe
outl 0x03cc 0x2fdc400e
outb 0x03cc 0xe
outl 0x03cc 0xfb24100e
outb 0x03cc 0x2f
outl 0x03cc 0xdc10dc0e
outl 0x03cc 0x2f31dc12
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0x1021f40e
EOF
qemu-system-i386: hw/display/cirrus_vga.c:645: cirrus_invalidate_region: Assertion `off_cur_end >= off_cur' failed.
Aborted (core dumped)

(gdb) bt
#0 0x00007f1d019fee35 in raise () at /lib64/libc.so.6
#1 0x00007f1d019e9895 in abort () at /lib64/libc.so.6
#2 0x00007f1d019e9769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f1d019f7566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x00005645cb447a37 in cirrus_invalidate_region (s=0x5645cd237540, off_begin=2097204, off_pitch=251, bytesperline=1, lines=7169) at hw/display/cirrus_vga.c:645
#5 0x00005645cb447cc8 in cirrus_bitblt_solidfill (s=0x5645cd237540, blt_rop=0) at hw/display/cirrus_vga.c:704
#6 0x00005645cb448886 in cirrus_bitblt_start (s=0x5645cd237540) at hw/display/cirrus_vga.c:1005
#7 0x00005645cb448dd1 in cirrus_write_bitblt (s=0x5645cd237540, reg_value=47) at hw/display/cirrus_vga.c:1090
#8 0x00005645cb449b02 in cirrus_vga_write_gr (s=0x5645cd237540, reg_index=49, reg_value=47) at hw/display/cirrus_vga.c:1593
#9 0x00005645cb44bb2f in cirrus_vga_ioport_write (opaque=0x5645cd237540, addr=975, val=47, size=1) at hw/display/cirrus_vga.c:2686
#10 0x00005645cb1e0d6e in memory_region_write_accessor (mr=0x5645cd247f10, addr=31, value=0x7fff178d6c18, size=1, shift=24, mask=255, attrs=...) at memory.c:483
#11 0x00005645cb1e0f7f in access_with_adjusted_size (addr=28, value=0x7fff178d6c18, size=4, access_size_min=1, access_size_max=1, access_fn=
    0x5645cb1e0c8b <memory_region_write_accessor>, mr=0x5645cd247f10, attrs=...) at memory.c:544
#12 0x00005645cb1e3e9d in memory_region_dispatch_write (mr=0x5645cd247f10, addr=28, data=791796754, op=MO_32, attrs=...) at memory.c:1476
#13 0x00005645cb1845e5 in flatview_write_continue (fv=0x5645cd65e510, addr=972, attrs=..., ptr=0x7fff178d6da4, len=4, addr1=28, l=4, mr=0x5645cd247f10) at exec.c:3137
#14 0x00005645cb18472a in flatview_write (fv=0x5645cd65e510, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3177
#15 0x00005645cb184a7d in address_space_write (as=0x5645cbd7bb20 <address_space_io>, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3268
#16 0x00005645cb1db385 in cpu_outl (addr=972, val=791796754) at ioport.c:80