Index: /trunk/src/VBox/Frontends/VirtualBox/src/VBoxFBOverlay.cpp
===================================================================
--- /trunk/src/VBox/Frontends/VirtualBox/src/VBoxFBOverlay.cpp	(revision 82676)
+++ /trunk/src/VBox/Frontends/VirtualBox/src/VBoxFBOverlay.cpp	(revision 82677)
@@ -76,4 +76,9 @@
 *   Defined Constants And Macros                                                                                                 *
 *********************************************************************************************************************************/
+/* 128 should be enough */
+#define VBOXVHWA_MAX_SURFACES 128
+#define VBOXVHWA_MAX_WIDTH    4096
+#define VBOXVHWA_MAX_HEIGHT   4096
+
 #ifdef VBOXQGL_PROF_BASE
 # ifdef VBOXQGL_DBG_SURF
@@ -313,33 +318,22 @@
 #endif
 
-VBoxVHWAHandleTable::VBoxVHWAHandleTable(uint32_t initialSize)
-{
-    mTable = new void*[initialSize];
-    memset(mTable, 0, initialSize*sizeof(void*));
-    mcSize = initialSize;
-    mcUsage = 0;
-    mCursor = 1; /* 0 is treated as invalid */
+VBoxVHWAHandleTable::VBoxVHWAHandleTable(uint32_t maxSize)
+    :
+    mcSize(maxSize),
+    mcUsage(0),
+    mCursor(1) /* 0 is treated as invalid */
+{
+    mTable = (void **)RTMemAllocZ(sizeof(void *) * maxSize);
 }
 
 VBoxVHWAHandleTable::~VBoxVHWAHandleTable()
 {
-    delete[] mTable;
+    RTMemFree(mTable);
 }
 
 uint32_t VBoxVHWAHandleTable::put(void *data)
 {
-    Assert(data);
-    if (!data)
-        return VBOXVHWA_SURFHANDLE_INVALID;
-
-    if (mcUsage == mcSize)
-    {
-        /** @todo resize */
-        AssertFailed();
-    }
-
-    Assert(mcUsage < mcSize);
-    if (mcUsage >= mcSize)
-        return VBOXVHWA_SURFHANDLE_INVALID;
+    AssertPtrReturn(data, VBOXVHWA_SURFHANDLE_INVALID);
+    AssertReturn(mcUsage < mcSize, VBOXVHWA_SURFHANDLE_INVALID);
 
     for (int k = 0; k < 2; ++k)
@@ -362,29 +356,27 @@
 }
 
-bool VBoxVHWAHandleTable::mapPut(uint32_t h, void * data)
-{
-    if (mcSize <= h)
-        return false;
-    if (h == 0)
-        return false;
+bool VBoxVHWAHandleTable::mapPut(uint32_t h, void *data)
+{
+    AssertReturn(h > 0 && h < mcSize, false);
+    RT_UNTRUSTED_VALIDATED_FENCE();
     if (mTable[h])
         return false;
-
     doPut(h, data);
     return true;
 }
 
-void* VBoxVHWAHandleTable::get(uint32_t h)
-{
-    Assert(h < mcSize);
-    Assert(h > 0);
+void * VBoxVHWAHandleTable::get(uint32_t h)
+{
+    AssertReturn(h > 0 && h < mcSize, NULL);
+    RT_UNTRUSTED_VALIDATED_FENCE();
     return mTable[h];
 }
 
-void* VBoxVHWAHandleTable::remove(uint32_t h)
+void * VBoxVHWAHandleTable::remove(uint32_t h)
 {
     Assert(mcUsage);
-    Assert(h < mcSize);
-    void* val = mTable[h];
+    AssertReturn(h > 0 && h < mcSize, NULL);
+    RT_UNTRUSTED_VALIDATED_FENCE();
+    void *val = mTable[h];
     Assert(val);
     if (val)
@@ -1491,8 +1483,8 @@
 {
     GLenum tt = texTarget();
+    QRect rect = mRect;
     if (pRect)
-        Assert(mRect.contains(*pRect));
-    else
-        pRect = &mRect;
+        rect = rect.intersected(*pRect);
+    AssertReturnVoid(!rect.isEmpty());
 
     Assert(glIsTexture(mTexture));
@@ -1501,8 +1493,8 @@
             );
 
-    int x = pRect->x()/mColorFormat.widthCompression();
-    int y = pRect->y()/mColorFormat.heightCompression();
-    int width = pRect->width()/mColorFormat.widthCompression();
-    int height = pRect->height()/mColorFormat.heightCompression();
+    int x = rect.x()/mColorFormat.widthCompression();
+    int y = rect.y()/mColorFormat.heightCompression();
+    int width = rect.width()/mColorFormat.widthCompression();
+    int height = rect.height()/mColorFormat.heightCompression();
 
     uchar *address = pAddress + pointOffsetTex(x, y);
@@ -1668,5 +1660,5 @@
 {
     if (pRect)
-        Assert(mRect.contains(*pRect));
+        AssertReturn(mRect.contains(*pRect), false);
 
     if (mUpdateMem2TexRect.isClear())
@@ -1865,5 +1857,5 @@
 
     if (pRect)
-        Assert(mRect.contains(*pRect));
+        AssertReturn(mRect.contains(*pRect), VERR_GENERAL_FAILURE);
 
     Assert(mLockCount >= 0);
@@ -1877,5 +1869,5 @@
     VBOXQGLLOG_METHODTIME("time ");
 
-    mUpdateMem2TexRect.add(pRect ? *pRect : mRect);
+    mUpdateMem2TexRect.add(pRect ? mRect.intersected(*pRect) : mRect);
 
     Assert(!mUpdateMem2TexRect.isClear());
@@ -1894,5 +1886,5 @@
 {
     mTargRect = aTargRect;
-    mSrcRect = aSrcRect;
+    mSrcRect = mRect.intersected(aSrcRect);
 }
 
@@ -1972,6 +1964,5 @@
 void VBoxVHWASurfaceBase::updatedMem(const QRect *rec)
 {
-    if (rec)
-        Assert(mRect.contains(*rec));
+    AssertReturnVoid(mRect.contains(*rec));
     mUpdateMem2TexRect.add(*rec);
 }
@@ -2043,7 +2034,6 @@
 }
 
-
 VBoxVHWAImage::VBoxVHWAImage ()
-    : mSurfHandleTable(128) /* 128 should be enough */
+    : mSurfHandleTable(VBOXVHWA_MAX_SURFACES)
     , mRepaintNeeded(false)
 //  ,  mbVGASurfCreated(false)
@@ -2194,4 +2184,11 @@
     VBOXQGLLOG_ENTER(("\n"));
 
+    if (pCmd->SurfInfo.width > VBOXVHWA_MAX_WIDTH || pCmd->SurfInfo.height > VBOXVHWA_MAX_HEIGHT)
+    {
+        AssertFailed();
+        pCmd->u.out.ErrInfo = -1;
+        return VINF_SUCCESS;
+    }
+
     const VBoxVHWAInfo & info = vboxVHWAGetSupportInfo(NULL);
 
@@ -2292,8 +2289,9 @@
     VBOXQGLLOG_ENTER (("\n"));
 
-    uint32_t handle = VBOXVHWA_SURFHANDLE_INVALID;
-    if (pCmd->SurfInfo.hSurf != VBOXVHWA_SURFHANDLE_INVALID)
-    {
-        handle = pCmd->SurfInfo.hSurf;
+    uint32_t handle = pCmd->SurfInfo.hSurf;
+    AssertReturn(handle == VBOXVHWA_SURFHANDLE_INVALID || handle < VBOXVHWA_MAX_SURFACES, VERR_GENERAL_FAILURE);
+    RT_UNTRUSTED_VALIDATED_FENCE();
+    if (handle != VBOXVHWA_SURFHANDLE_INVALID)
+    {
         if (mSurfHandleTable.get(handle))
         {
@@ -2343,10 +2341,8 @@
         VBoxVHWASurfaceBase *pVga = vgaSurface();
 #ifdef VBOX_WITH_WDDM
-        uchar * addr = vboxVRAMAddressFromOffset(pCmd->SurfInfo.offSurface);
-        Assert(addr);
-        if (addr)
-        {
-            pVga->setAddress(addr);
-        }
+        uchar *addr = vboxVRAMAddressFromOffset(pCmd->SurfInfo.offSurface);
+        AssertPtrReturn(addr, VERR_GENERAL_FAILURE);
+        RT_UNTRUSTED_VALIDATED_FENCE();
+        pVga->setAddress(addr);
 #endif
 
@@ -2396,4 +2392,9 @@
     if (!surf)
     {
+        ASSERT_GUEST_RETURN(   pCmd->SurfInfo.width <= VBOXVHWA_MAX_WIDTH
+                            && pCmd->SurfInfo.height <= VBOXVHWA_MAX_HEIGHT, VERR_GENERAL_FAILURE);
+        ASSERT_GUEST_RETURN(pCmd->SurfInfo.cBackBuffers < VBOXVHWA_MAX_SURFACES, VERR_GENERAL_FAILURE);
+        RT_UNTRUSTED_VALIDATED_FENCE();
+
         VBOXVHWAIMG_TYPE fFlags = 0;
         if (!bNoPBO)
@@ -2441,4 +2442,5 @@
 
         uchar *addr = vboxVRAMAddressFromOffset(pCmd->SurfInfo.offSurface);
+        AssertReturn(addr || pCmd->SurfInfo.offSurface == VBOXVHWA_OFFSET64_VOID, VERR_GENERAL_FAILURE);
         surf->init(mDisplay.getPrimary(), addr);
 
@@ -2534,4 +2536,7 @@
 int VBoxVHWAImage::vhwaSurfaceGetInfo(struct VBOXVHWACMD_SURF_GETINFO RT_UNTRUSTED_VOLATILE_GUEST *pCmd)
 {
+    ASSERT_GUEST_RETURN(   pCmd->SurfInfo.width <= VBOXVHWA_MAX_WIDTH
+                        && pCmd->SurfInfo.height <= VBOXVHWA_MAX_HEIGHT, VERR_INVALID_PARAMETER);
+    RT_UNTRUSTED_VALIDATED_FENCE();
     VBoxVHWAColorFormat format;
     Assert(!format.isValid());
@@ -2570,14 +2575,17 @@
     {
         Assert(pList);
-        pList->remove(pSurf);
-        if (pList->surfaces().empty())
-        {
-            mDisplay.removeOverlay(pList);
-            if (pList == mConstructingList)
+        if (pList)
+        {
+            pList->remove(pSurf);
+            if (pList->surfaces().empty())
             {
-                mConstructingList = NULL;
-                mcRemaining2Contruct = 0;
+                mDisplay.removeOverlay(pList);
+                if (pList == mConstructingList)
+                {
+                    mConstructingList = NULL;
+                    mcRemaining2Contruct = 0;
+                }
+                delete pList;
             }
-            delete pList;
         }
 
@@ -2586,7 +2594,6 @@
     else
     {
-        Assert(pList);
-        Assert(pList->size() >= 1);
-        if (pList->size() > 1)
+        Assert(pList && pList->size() >= 1);
+        if (pList && pList->size() > 1)
         {
             if (pSurf == mDisplay.getVGA())
@@ -2907,5 +2914,4 @@
     if (pSrcSurf->getComplexList()->current() != NULL)
     {
-        Assert(pDstSurf);
         if (pDstSurf != mDisplay.getPrimary())
         {
@@ -3600,11 +3606,17 @@
 uchar *VBoxVHWAImage::vboxVRAMAddressFromOffset(uint64_t offset)
 {
-    /** @todo check vramSize() */
-    return (offset != VBOXVHWA_OFFSET64_VOID) ? ((uint8_t *)vramBase()) + offset : NULL;
+    if (offset == VBOXVHWA_OFFSET64_VOID)
+        return NULL;
+    AssertReturn(offset <= vramSize(), NULL);
+    RT_UNTRUSTED_VALIDATED_FENCE();
+    return (uint8_t *)vramBase() + offset;
 }
 
 uint64_t VBoxVHWAImage::vboxVRAMOffsetFromAddress(uchar *addr)
 {
-    return uint64_t(addr - ((uchar *)vramBase()));
+    AssertReturn((uintptr_t)addr >= (uintptr_t)vramBase(), VBOXVHWA_OFFSET64_VOID);
+    uint64_t const offset = uint64_t((uintptr_t)addr - (uintptr_t)vramBase());
+    AssertReturn(offset <= vramSize(), VBOXVHWA_OFFSET64_VOID);
+    return offset;
 }
 
Index: /trunk/src/VBox/Frontends/VirtualBox/src/VBoxFBOverlay.h
===================================================================
--- /trunk/src/VBox/Frontends/VirtualBox/src/VBoxFBOverlay.h	(revision 82676)
+++ /trunk/src/VBox/Frontends/VirtualBox/src/VBoxFBOverlay.h	(revision 82677)
@@ -750,5 +750,5 @@
 {
 public:
-    VBoxVHWAHandleTable(uint32_t initialSize);
+    VBoxVHWAHandleTable(uint32_t maxSize);
     ~VBoxVHWAHandleTable();
     uint32_t put(void * data);