Index: /trunk/src/VBox/Main/src-client/HGCM.cpp
===================================================================
--- /trunk/src/VBox/Main/src-client/HGCM.cpp	(revision 70598)
+++ /trunk/src/VBox/Main/src-client/HGCM.cpp	(revision 70599)
@@ -105,6 +105,6 @@
         VBOXHGCMSVCFNTABLE m_fntable;
 
-        int m_cClients;
-        int m_cClientsAllocated;
+        uint32_t m_cClients;
+        uint32_t m_cClientsAllocated;
 
         uint32_t *m_paClientIds;
@@ -1201,5 +1201,5 @@
          * The global state of a service is configured during VM startup.
          */
-        int i;
+        uint32_t i;
 
         for (i = 0; i < pSvc->m_cClients; i++)
@@ -1376,8 +1376,29 @@
                 if (m_cClients == m_cClientsAllocated)
                 {
-                    m_paClientIds = (uint32_t *)RTMemRealloc(m_paClientIds, (m_cClientsAllocated + 64) *
-                                                             sizeof(m_paClientIds[0]));
-                    Assert(m_paClientIds);
-                    m_cClientsAllocated += 64;
+                    const uint32_t cDelta = 64;
+
+                    /* Guards against integer overflow on 32bit arch and also limits size of m_paClientIds array to 4GB*/
+                    if (m_cClientsAllocated < UINT32_MAX / sizeof(m_paClientIds[0]) - cDelta)
+                    {
+                        uint32_t *paClientIdsNew;
+
+                        paClientIdsNew = (uint32_t *)RTMemRealloc(m_paClientIds, (m_cClientsAllocated + cDelta) *
+                            sizeof(m_paClientIds[0]));
+                        Assert(paClientIdsNew);
+
+                        if (paClientIdsNew)
+                        {
+                            m_paClientIds = paClientIdsNew;
+                            m_cClientsAllocated += cDelta;
+                        }
+                        else
+                        {
+                            rc = VERR_NO_MEMORY;
+                        }
+                    }
+                    else
+                    {
+                        rc = VERR_NO_MEMORY;
+                    }
                 }
 
@@ -1443,5 +1464,5 @@
 
     /* Remove the client id from the array in any case, rc does not matter. */
-    int i;
+    uint32_t i;
 
     for (i = 0; i < m_cClients; i++)
Index: /trunk/src/VBox/Main/src-client/VMMDevInterface.cpp
===================================================================
--- /trunk/src/VBox/Main/src-client/VMMDevInterface.cpp	(revision 70598)
+++ /trunk/src/VBox/Main/src-client/VMMDevInterface.cpp	(revision 70599)
@@ -617,7 +617,13 @@
     }
 
+    /* Check if service name is a string terminated by zero*/
+    size_t cchInfo = 0;
+    if (RTStrNLenEx(pServiceLocation->u.host.achName, sizeof(pServiceLocation->u.host.achName), &cchInfo) != VINF_SUCCESS)
+    {
+        return VERR_INVALID_PARAMETER;
+    }
+
     if (!pDrv->pVMMDev || !pDrv->pVMMDev->hgcmIsActive())
         return VERR_INVALID_STATE;
-
     return HGCMGuestConnect(pDrv->pHGCMPort, pCmd, pServiceLocation->u.host.achName, pu32ClientID);
 }