From 6a16f6900dd884e07125b51c9625f6be0a1f9b70 Mon Sep 17 00:00:00 2001
From: Felix Geyer <debfx-pkg@fobos.de>
Date: Tue, 28 Jun 2011 12:27:03 +0200
Subject: Imported Upstream version 4.0.10-dfsg

---
 src/VBox/Devices/VMMDev/VMMDev.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src/VBox/Devices/VMMDev/VMMDev.cpp')

diff --git a/src/VBox/Devices/VMMDev/VMMDev.cpp b/src/VBox/Devices/VMMDev/VMMDev.cpp
index bd9f65e81..a7ca0ca03 100644
--- a/src/VBox/Devices/VMMDev/VMMDev.cpp
+++ b/src/VBox/Devices/VMMDev/VMMDev.cpp
@@ -1489,10 +1489,11 @@ static DECLCALLBACK(int) vmmdevRequestHandler(PPDMDEVINS pDevIns, void *pvUser,
                     Log(("VMMDevReq_VideoSetVisibleRegion no rectangles!!!\n"));
                     pRequestHeader->rc = VERR_INVALID_PARAMETER;
                 }
-                else
-                if (pRequestHeader->size != sizeof(VMMDevVideoSetVisibleRegion) + (ptr->cRect-1)*sizeof(RTRECT))
+                else if (   ptr->cRect > _1M /* restrict to sane range */
+                         || pRequestHeader->size != sizeof(VMMDevVideoSetVisibleRegion) + ptr->cRect * sizeof(RTRECT) - sizeof(RTRECT))
                 {
-                    Log(("VMMDevReq_VideoSetVisibleRegion request size too small!!!\n"));
+                    Log(("VMMDevReq_VideoSetVisibleRegion: cRects=%#x doesn't match size=%#x or is out of bounds\n",
+                         ptr->cRect, pRequestHeader->size));
                     pRequestHeader->rc = VERR_INVALID_PARAMETER;
                 }
                 else
-- 
cgit v1.2.3