Index: /trunk/include/VBox/VMMDev.h =================================================================== --- /trunk/include/VBox/VMMDev.h (revision 49845) +++ /trunk/include/VBox/VMMDev.h (revision 49846) @@ -119,4 +119,6 @@ /** Maximum number of HGCM parameters. */ #define VMMDEV_MAX_HGCM_PARMS 1024 +/** Maximum total size of hgcm buffers in one call. */ +#define VMMDEV_MAX_HGCM_DATA_SIZE UINT32_C(0x7FFFFFFF) /** Index: /trunk/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp =================================================================== --- /trunk/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp (revision 49845) +++ /trunk/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp (revision 49846) @@ -686,4 +686,10 @@ { /* Only pointers with some actual data are counted. */ + if (pGuestParm->u.Pointer.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) + { + rc = VERR_INVALID_PARAMETER; + break; + } + cbCmdSize += pGuestParm->u.Pointer.size; @@ -699,4 +705,10 @@ case VMMDevHGCMParmType_PageList: { + if (pGuestParm->u.PageList.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) + { + rc = VERR_INVALID_PARAMETER; + break; + } + cbCmdSize += pGuestParm->u.PageList.size; Log(("vmmdevHGCMCall: pagelist size = %d\n", pGuestParm->u.PageList.size)); @@ -738,4 +750,10 @@ { /* Only pointers with some actual data are counted. */ + if (pGuestParm->u.Pointer.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) + { + rc = VERR_INVALID_PARAMETER; + break; + } + cbCmdSize += pGuestParm->u.Pointer.size; @@ -751,4 +769,10 @@ case VMMDevHGCMParmType_PageList: { + if (pGuestParm->u.PageList.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) + { + rc = VERR_INVALID_PARAMETER; + break; + } + cbCmdSize += pGuestParm->u.PageList.size; Log(("vmmdevHGCMCall: pagelist size = %d\n", pGuestParm->u.PageList.size));