Index: /trunk/src/VBox/HostDrivers/VBoxUSB/USBFilter.cpp
===================================================================
--- /trunk/src/VBox/HostDrivers/VBoxUSB/USBFilter.cpp	(revision 82661)
+++ /trunk/src/VBox/HostDrivers/VBoxUSB/USBFilter.cpp	(revision 82662)
@@ -327,4 +327,15 @@
     }
 
+    /* Validate that string value offsets are inside the string table. */
+    for (uint32_t i = 0; i < RT_ELEMENTS(pFilter->aFields); i++)
+    {
+        if (    USBFilterIsMethodUsingStringValue((USBFILTERMATCH)pFilter->aFields[i].enmMatch)
+            &&  pFilter->aFields[i].u16Value > pFilter->offCurEnd)
+        {
+            Log(("USBFilter: %p - bad offset=%#x\n", pFilter->aFields[i].u16Value));
+            return VERR_INVALID_PARAMETER;
+        }
+    }
+
     /*
      * Validate the string table.
@@ -350,5 +361,5 @@
         unsigned i;
         for (i = 0; i < RT_ELEMENTS(pFilter->aFields); i++)
-            if (    USBFilterIsMethodString((USBFILTERMATCH)pFilter->aFields[i].enmMatch)
+            if (    USBFilterIsMethodUsingStringValue((USBFILTERMATCH)pFilter->aFields[i].enmMatch)
                 &&  pFilter->aFields[i].u16Value == off)
                 break;
@@ -1791,5 +1802,5 @@
 
 /**
- * Checks if a matching method is for string fields or not.
+ * Checks if a matching method is for numeric fields or not.
  *
  * @returns true / false.