Index: /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_evaluators.c
===================================================================
--- /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_evaluators.c	(revision 78104)
+++ /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_evaluators.c	(revision 78105)
@@ -360,4 +360,20 @@
 	}
 
+    switch (target) {
+        case GL_MAP1_VERTEX_3:
+        case GL_MAP1_VERTEX_4:
+        case GL_MAP1_INDEX:
+        case GL_MAP1_COLOR_4:
+        case GL_MAP1_NORMAL:
+        case GL_MAP1_TEXTURE_COORD_1:
+        case GL_MAP1_TEXTURE_COORD_2:
+        case GL_MAP1_TEXTURE_COORD_3:
+        case GL_MAP1_TEXTURE_COORD_4:
+            break;
+        default:
+            crStateError(__LINE__, __FILE__, GL_INVALID_ENUM, "glMap1d(bad target)");
+            return;
+    }
+
 	i = target - GL_MAP1_COLOR_4;
 
@@ -378,20 +394,4 @@
 		crStateError(__LINE__, __FILE__, GL_INVALID_OPERATION,
 								 "glMap1d(current texture unit must be zero)");
-		return;
-	}
-
-	switch (target) {
-	case GL_MAP1_VERTEX_3:
-	case GL_MAP1_VERTEX_4:
-	case GL_MAP1_INDEX:
-	case GL_MAP1_COLOR_4:
-	case GL_MAP1_NORMAL:
-	case GL_MAP1_TEXTURE_COORD_1:
-	case GL_MAP1_TEXTURE_COORD_2:
-	case GL_MAP1_TEXTURE_COORD_3:
-	case GL_MAP1_TEXTURE_COORD_4:
-		break;
-	default:
-		crStateError(__LINE__, __FILE__, GL_INVALID_ENUM, "glMap1d(bad target)");
 		return;
 	}
@@ -474,5 +474,21 @@
 	}
 
-	if (g->extensions.NV_vertex_program) {
+    switch (target) {
+        case GL_MAP2_VERTEX_3:
+        case GL_MAP2_VERTEX_4:
+        case GL_MAP2_INDEX:
+        case GL_MAP2_COLOR_4:
+        case GL_MAP2_NORMAL:
+        case GL_MAP2_TEXTURE_COORD_1:
+        case GL_MAP2_TEXTURE_COORD_2:
+        case GL_MAP2_TEXTURE_COORD_3:
+        case GL_MAP2_TEXTURE_COORD_4:
+            break;
+        default:
+            crStateError(__LINE__, __FILE__, GL_INVALID_ENUM, "glMap2d()");
+            return;
+    }
+
+    if (g->extensions.NV_vertex_program) {
 /* XXX FIXME */
 		i = target - GL_MAP2_COLOR_4;
@@ -508,20 +524,4 @@
 	}
 #endif
-
-	switch (target) {
-	case GL_MAP2_VERTEX_3:
-	case GL_MAP2_VERTEX_4:
-	case GL_MAP2_INDEX:
-	case GL_MAP2_COLOR_4:
-	case GL_MAP2_NORMAL:
-	case GL_MAP2_TEXTURE_COORD_1:
-	case GL_MAP2_TEXTURE_COORD_2:
-	case GL_MAP2_TEXTURE_COORD_3:
-	case GL_MAP2_TEXTURE_COORD_4:
-		break;
-	default:
-		crStateError(__LINE__, __FILE__, GL_INVALID_ENUM, "glMap2d()");
-		return;
-	}
 
 	/* make copy of the control points */
Index: /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_teximage.c
===================================================================
--- /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_teximage.c	(revision 78104)
+++ /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_teximage.c	(revision 78105)
@@ -218,4 +218,18 @@
     CRTextureState *t = &(g->texture);
     CRTextureUnit *unit = t->unit + t->curTextureUnit;
+    
+    if (level < 0 || level > MaxTextureLevel(g, texTarget)) {
+        crWarning("Wrong texture level=%d", level);
+        *obj = NULL;
+        *img = NULL;
+        return;
+    }
+
+    if (level < 0 || level >= CR_MAX_MIPMAP_LEVELS)
+    {
+        crWarning("unexpected level 0x%x", level);
+        *obj = NULL;
+        *img = NULL;
+    }
 
     switch (texTarget) {
@@ -691,4 +705,10 @@
     CRTextureLevel *tl = NULL;
     (void)x; (void)y;
+
+    if (level < 0 || level > MaxTextureLevel(g, target)) {
+        crStateError(__LINE__, __FILE__, GL_INVALID_VALUE,
+                     "crStateCopyTexImage2D: invalid level: %d", level);
+        return;
+    }
     
     crStateGetTextureObjectAndImage(g, target, level, &tobj, &tl);
Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/presenter/server_presenter.cpp
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/presenter/server_presenter.cpp	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/presenter/server_presenter.cpp	(revision 78105)
@@ -146,6 +146,22 @@
 static int8_t crFbImgFromDimOffVramBGRA(VBOXCMDVBVAOFFSET offVRAM, uint32_t width, uint32_t height, CR_BLITTER_IMG *pImg)
 {
-    uint32_t cbBuff = width * height * 4;
+    uint32_t cbBuff;
+    
+    if (width == 0 || height == 0)
+    {
+        WARN(("invalid param"));
+        return -1;
+    }
+    
+    cbBuff = width * height * 4;
+    // Check if overflow happened
+    if (cbBuff / width != height * 4)
+    {
+        WARN(("invalid param"));
+        return -1;
+    }
+    
     if (offVRAM >= g_cbVRam
+            || UINT32_MAX - cbBuff <= offVRAM
             || offVRAM + cbBuff >= g_cbVRam)
     {
Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_get.py
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_get.py	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_get.py	(revision 78105)
@@ -49,5 +49,5 @@
     'GetProgramParameterfvNV': 4,
     'GetProgramivNV': 1,
-    'GetTrackMatrixivNV': 1,
+    'GetTrackMatrixivNV': 24,
     'GetVertexAttribPointervNV': 1,
     'GetVertexAttribdvNV': 4,
@@ -127,5 +127,6 @@
         local_argname = 'local_%s' % lastParam[0]
 
-        print('\tunsigned int cComponents = 0;');
+        if not func_name in no_pnames:
+            print('\tunsigned int cComponents = 0;');
         print('\t%s %s[%d] = { 0 };' % ( local_argtype, local_argname, max_components[func_name] ))
         print('\t(void) %s;' % lastParam[0])
Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getpixelmap.c
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getpixelmap.c	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getpixelmap.c	(revision 78105)
@@ -80,5 +80,5 @@
 
         size *= tabsize;
-        local_values = (GLfloat*)crAlloc( size );
+        local_values = (GLfloat*)crCalloc( size );
 
         cr_server.head_spu->dispatch_table.GetPixelMapfv( map, local_values );
@@ -107,5 +107,5 @@
 
         size *= tabsize;
-        local_values = (GLuint*)crAlloc( size );
+        local_values = (GLuint*)crCalloc( size );
 
         cr_server.head_spu->dispatch_table.GetPixelMapuiv( map, local_values );
@@ -134,5 +134,5 @@
 
         size *= tabsize;
-        local_values = (GLushort*)crAlloc( size );
+        local_values = (GLushort*)crCalloc( size );
 
         cr_server.head_spu->dispatch_table.GetPixelMapusv( map, local_values );
Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getshaders.c
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getshaders.c	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getshaders.c	(revision 78105)
@@ -359,5 +359,5 @@
 void SERVER_DISPATCH_APIENTRY crServerDispatchGetObjectParameterfvARB( VBoxGLhandleARB obj, GLenum pname, GLfloat * params )
 {
-    GLfloat local_params[1];
+    GLfloat local_params[1] = {0};
     GLuint hwid = crStateGetProgramHWID(obj);
     (void) params;
@@ -378,5 +378,5 @@
 void SERVER_DISPATCH_APIENTRY crServerDispatchGetObjectParameterivARB( VBoxGLhandleARB obj, GLenum pname, GLint * params )
 {
-    GLint local_params[1];
+    GLint local_params[1] = {0};
     GLuint hwid = crStateGetProgramHWID(obj);
     if (!hwid)
Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_glsl.c
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_glsl.c	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_glsl.c	(revision 78105)
@@ -151,5 +151,5 @@
 void SERVER_DISPATCH_APIENTRY crServerDispatchGetProgramiv( GLuint program, GLenum pname, GLint * params )
 {
-    GLint local_params[1];
+    GLint local_params[1] = {0};
     (void) params;
     cr_server.head_spu->dispatch_table.GetProgramiv(crStateGetProgramHWID(program), pname, local_params);
@@ -159,5 +159,5 @@
 void SERVER_DISPATCH_APIENTRY crServerDispatchGetShaderiv( GLuint shader, GLenum pname, GLint * params )
 {
-    GLint local_params[1];
+    GLint local_params[1] = {0};
     (void) params;
     cr_server.head_spu->dispatch_table.GetShaderiv( crStateGetShaderHWID(shader), pname, local_params );
Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_papi.c
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_papi.c	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_papi.c	(revision 78105)
@@ -32,4 +32,8 @@
 	cr_server.head_spu->dispatch_table.ChromiumParametervCR( GL_PRINT_STRING_CR, GL_UNSIGNED_BYTE, sizeof(debug_buf), debug_buf );
 #endif
+
+	if (count > CR_MAX_CLIENTS)
+		count = CR_MAX_CLIENTS;
+
 	if (count == 0)
 	{
Index: /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_misc.c
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_misc.c	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_misc.c	(revision 78105)
@@ -26,4 +26,11 @@
     GLsizei n = READ_DATA( 8, GLsizei );
     const GLuint *ids = DATA_POINTER(12, GLuint);
+
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLint) / 4 || !DATA_POINTER_CHECK(12 + n * sizeof(GLuint)))
+    {
+        crError("crUnpackExtendDeleteQueriesARB: parameter 'n' is out of range");
+        return;
+    }
+
     cr_unpackDispatch.DeleteQueriesARB(n, ids);
 }
@@ -84,4 +91,11 @@
     GLint cRects = READ_DATA( 24, GLint );
     GLint *pRects = (GLint *)DATA_POINTER( 28, GLvoid );
+
+    if (cRects <= 0 || cRects >= INT32_MAX / sizeof(GLint) / 8 || !DATA_POINTER_CHECK(28 + 4 * cRects * sizeof(GLint)))
+    {
+        crError("crUnpackExtendVBoxTexPresent: parameter 'cRects' is out of range");
+        return;
+    }
+
     cr_unpackDispatch.VBoxTexPresent( texture, cfg, xPos, yPos, cRects, pRects );
 }
Index: /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_shaders.c
===================================================================
--- /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_shaders.c	(revision 78104)
+++ /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_shaders.c	(revision 78105)
@@ -43,5 +43,5 @@
     int pos, pos_check;
 
-    if (count <= 0 || count >= INT32_MAX / sizeof(char *) / 4)
+    if (count <= 0 || count >= INT32_MAX / sizeof(GLint) / 8)
     {
         crError("crUnpackExtendShaderSource: count %u is out of range", count);
@@ -50,4 +50,10 @@
 
     pos = 20 + count * sizeof(*pLocalLength);
+
+    if (!DATA_POINTER_CHECK(pos))
+    {
+        crError("crUnpackExtendShaderSource: pos %d is out of range", pos);
+        return;
+    }
 
     if (hasNonLocalLen > 0)
@@ -57,15 +63,15 @@
     }
 
+    if (!DATA_POINTER_CHECK(pos))
+    {
+        crError("crUnpackExtendShaderSource: pos %d is out of range", pos);
+        return;
+    }
+
     pos_check = pos;
 
-    if (!DATA_POINTER_CHECK(pos_check))
-    {
-        crError("crUnpackExtendShaderSource: pos %d is out of range", pos_check);
-        return;
-    }
-
     for (i = 0; i < count; ++i)
     {
-        if (pLocalLength[i] <= 0 || pos_check >= INT32_MAX - pLocalLength[i] || !DATA_POINTER_CHECK(pos_check))
+        if (pLocalLength[i] <= 0 || pos_check >= INT32_MAX - pLocalLength[i])
         {
             crError("crUnpackExtendShaderSource: pos %d is out of range", pos_check);
@@ -74,4 +80,10 @@
 
         pos_check += pLocalLength[i];
+
+        if (!DATA_POINTER_CHECK(pos_check))
+        {
+            crError("crUnpackExtendShaderSource: pos %d is out of range", pos_check);
+            return;
+        }
     }